Originally published December 18 2005
Critical vulnerability in iTunes found
by Mike Adams, the Health Ranger, NaturalNews Editor
The flaw in iTunes could allow attackers to launch arbitrary code remotely and take over a user's computer, according to eEye Digital Security. The flaw has only been found on the Windows operating system so far.
The discovery of this flaw comes days after Apple issued its security update for iTunes 6 for Windows.
This flaw existed on the earlier version of iTunes 6 for Windows and was not addressed by the newest security update, according to a warning issued by eEye Digital Security.
After eEye mistakenly posted a note on its Web site saying the iTunes flaw affected "all operating systems," the security firm updated its warning to indicate that the flaw had been found only on the Windows operating system so far.
However, eEye is now testing whether the flaw also affects iTunes running on Mac operating systems.
Apple iTunes 6 for Windows, as well as the previous version, are affected by the flaw, said Steve Manzuik, product manager at eEye.
The flaw enables malicious hackers to launch arbitrary code remotely, once a user clicks on a malicious Web site link or opens a malicious e-mail, Manzuik said.
"iTunes is widespread, so there is a large exploit base," Manzuik said, noting that no exploit code has been published to date.
When Apple released its iTunes 6 for Windows security patch earlier this week, it was designed to prevent the wrong helper application from launching.
The helper program searches multiple system paths to figure out which program to run, but the flaw could allow an attacker to create a way for an alternate program to be initiated by iTunes.
An Apple representative was not available for comment, but the company has a policy of not discussing or confirming security issues until it has conducted an investigation and issued any needed patches, according a posting on its Web site.
eEye says it does not provide extensive details on security flaws until a vendor has released a patch to resolve the flaw.
All content posted on this site is commentary or opinion and is protected under Free Speech. Truth Publishing LLC takes sole responsibility for all content. Truth Publishing sells no hard products and earns no money from the recommendation of products. NaturalNews.com is presented for educational and commentary purposes only and should not be construed as professional advice from any licensed practitioner. Truth Publishing assumes no responsibility for the use or misuse of this material. For the full terms of usage of this material, visit www.NaturalNews.com/terms.shtml