Apple Uses Security Advisory to Push iTunes 10 Upgrade

2010-09-02T15:46:00
ID APPLE-USES-SECURITY-ADVISORY-PUSH-ITUNES-10-UPGRADE-090210/74419
Type threatpost
Reporter Paul Roberts
Modified 2013-04-17T16:36:10

Description

Social networking features, a rockin’ new logo and GUI improvements aren’t the only reason you should upgrade to iTunes 10, says Apple. The update to Apple’s popular music player software, released on Wednesday, also fixes a bunch of gaping vulnerabilities that could make earlier versions susceptible to Web based attacks.

Related Posts

Apple Patches Trident Vulnerabilities in OS X, Safari

September 2, 2016 , 10:00 am

Putting Apple Bug Bounty Rewards in Perspective

August 10, 2016 , 11:00 am

iOS 9.3.4 Patches Critical Code Execution Flaw

August 8, 2016 , 9:00 am

On Wednesday, CEO Steve Jobs took the stage to introduce a raft of new products, including a new version of iTunes. The update includes new social networking capabilities of iTunes, which Apple has dubbed “Ping,” and which allow users to share data on what music they’re listening to. (Stereolab, if you were wondering.)

Behind the scenes, though, Apple quietly issued a security advisory suggesting another good reason to upgrade to the new player: a fix for some 13 known vulnerabilities in Webkit for Windows, a component of Apple’s Safari Web browser and also of iTunes for Windows.

According to Apple, iTunes 10 incorporates security fixes provided in the Safari 5.0 release, including fixes for across site scripting, information leakage and memory corruption vulnerabilities. The holes, including a flaw in the way Safari handled form AutoFill functions, could make users of iTunes for WIndows 7, Windows Vista and Windows XP SP2 systems vulnerable to remote exploits using maliciously crafted Web sites or RSS feeds.

As reported by Threatpost researchers at the annual Black Hat Briefings in Las Vegas showed how the AutoFill vulnerability could enable attackers to siphon personal information about users from Safari browsers.

Apple posted details of the patched vulnerabilities on its support Web site.