Apple iTunes Version 9.2.1 Patches Critical Vulnerability
Apple has issued new iTunes 9.2.1 update. The update takes care of a critical security flaw with which attackers can execute arbitrary code. The vulnerability apparently affects Windows and Mac computers running iTunes and an attacker can exploit it through a maliciously-created 'itpc:' link for hijacking an end-user's computer.
Secunia, the Danish vulnerability intelligence firm, the vulnerability (CVE-2010-1777) is a result of a boundary fault caused from the manner in which iTunes uses specific 'itpc:' links, as reported by SoftPedia on July 20, 2010.
During an attack, the attacker creates a special URL and deceives users so that they access it. If he manages to exploit the vulnerability successfully, then a situation of 'heap overflow' results that makes the computer susceptible to attack.
Apple states in a support document posted on its website that visiting a maliciously-created 'itpc:' URL may result in random code execution or sudden termination of application. Apple has set right the flaw via enhanced bounds checking, as reported by Apple on July 19, 2010.
According to the security researchers, the above kind of flaws disturbing URL handling methods prove extremely risky as not much technical skill is required to exploit them.
They further state that given the massive user-base of iTunes following the widespread acceptance of iPads, iPhones and iPods, the security flaw creates an opportunity for bulk assaults.
Amidst the myriad problems solved, there are updates that take care of minor problems in items dragged-and-dropped in iTunes; the implementation factor following synchronization with certain devices unlike before using iTunes 9.2; a problem related to upgradation to iOS 4 on iPod and iPhone touches encoded backups; as well as the necessary progresses for performance and stability.
However, the most vital problem solved with the upgraded iTune 9.2.1 is that the version deactivates earlier versions of certain unsuited third party plug-ins.
A same type of vulnerability within Windows XP processes hcp: (Help and Support Center) URLs, a 0-day flaw, was revealed in the beginning of June 2010. Both targeted and drive-by-download attacks successfully exploited that flaw.
Related article: Apple Patches QuickTime 13 Month Old Flaw
» SPAMfighter News - 31-07-2010