Apple ITunes Playlist Buffer Overflow Vulnerability

ID SMNTC-12238
Type symantec
Reporter Symantec Security Response
Modified 2005-01-11T00:00:00



Apple iTunes is prone to a buffer overflow vulnerability. This issue is exposed when the application parses 'm3u' and 'pls' playlist files. As these files may originate from an external source, this issue is considered remotely exploitable. If the vulnerability is successfully exploited, it will result in execution of arbitrary code in the context of the user running the application.

Technologies Affected

  • Apple iTunes 4.2.0 .72
  • Apple iTunes 4.5.0
  • Apple iTunes 4.6.0
  • Apple iTunes 4.7.0


Do not accept or execute files from untrusted or unknown sources.
Do not open or accept files that originate from an unfamiliar or untrusted source.

Run all software as a nonprivileged user with minimal access rights.
All non-administrative tasks should be performed as an unprivileged user with minimal access rights. This will limit the impact of vulnerabilities in applications.

Apple has released iTunes 4.7 to address this vulnerability. Mac OS X users may automatically apply this update through the Software Update pane in System Preferences. Manual updates for Mac OS X and Windows are also available through the iTunes download page.