iTunes & QuickTime security alert

Author: Gareth Halfacree
Published: 19th September 2008
Comments (15) Stumble
iTunes & QuickTime security alert

Both iTunes and QuickTime are vulnerable to a buffer overflow attack when reading maliciously-crafted video files.

Yesterday saw the disclosure – and subsequent exploitation, predictably – of a major security flaw in the latest versions of Apple's QuickTime and iTunes packages.

According to CNet, the flaw – entered into NIST's National Vulnerability Database with ID CVE-2008-4116 – affects QuickTime 7.5.5 and iTunes 8.0.

The flaw centres around a heap-based buffer overflow which can be exploited via a long-type attribute in a QuickTime tag, either via a maliciously crafted MP4 or MOV video file or embedded within a webpage if the QuickTime browser plugin is installed. As with most buffer overflow vulnerabilities, the flaw can result in mild annoyance – a crash when the program attempts to access memory which is out of bounds – or remote code execution, which is far more serious.

The discovery of this flaw comes shortly after an update was released for issues using iTunes 8 on Windows Vista, and just days after the latest Mac OS X update was made available. Sadly, there's no patch available for this flaw as yet.

If you're hoping for a workaround, the only way to be sure of safety is to avoid using iTunes and QuickTime to play back video and audio files, and to uninstall the QuickTime browser helper component.

Has anyone noticed inexplicable crashes in iTunes over the last few days, or is this likely to be a storm in a teacup and quickly patched by Apple? Share your thoughts over in the forums.
Quote proxess 19th September 2008, 14:34
just use VLC and all is solved. gtkpod kicks itunes ass.
Quote identikit 19th September 2008, 15:31
Quote:
Originally Posted by proxess
just use VLC and all is solved. gtkpod kicks itunes ass.

Saying just use XXX isn't exactly a viable solution for the millions upon millions of people that use iTunes, iPods, iPhones etc etc.

It's an unfortunate flaw that needs addressing quickly.
Quote liratheal 19th September 2008, 15:38
That's a bit of an 'oops' moment.
Quote Anakha 19th September 2008, 15:51
Quote:
Originally Posted by identikit
Quote:
Originally Posted by proxess
just use VLC and all is solved. gtkpod kicks itunes ass.
Saying just use XXX isn't exactly a viable solution for the millions upon millions of people that use iTunes, iPods, iPhones etc etc.

When he also suggests an IPod management program (gtkpod), your point becomes seriously redundant.
Quote DarkReaper 19th September 2008, 16:07
Actually, the point is still very valid. The number of people who use iTunes is probably at least an order of magnitude bigger than the number of people who would even know how to install and use VLC and gtkpod, and then you have the ones like me who could do but actually like using iTunes for the most part and don't want to have to change and spend hours importing playlists and ratings to something new. A security flaw in the basic software for the most popular MP3 player in existence is a serious issue.
Quote rhuitron 19th September 2008, 20:18
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

Oh god. Sorry, But really, I told you guys when the first update came out.
Your problem doesn't exist in the Program. Jus the fact that you actually own a product from this crappy company!
Quote dyzophoria 19th September 2008, 21:03
even with news like these apple fanboys will still say joo are all wrong, impossible!, apple stuff cannot be hacked!, now that is annoying :D
Quote DXR_13KE 20th September 2008, 00:33
i HATE it when quick time gives me the green screen....
Quote LordPyrinc 20th September 2008, 01:21
I have iTunes on my PC, but have not updated it since the initial install. I installed it so that my girlfriend could get my MP3s transferred to her iPod. I have also found it useful for downloading Podcasts from my favorite local radio station's morning show.

I wonder if the flaw affects earlier versions of the software?
Quote identikit 20th September 2008, 14:17
Quote:
Originally Posted by Anakha
Quote:
Originally Posted by identikit
Quote:
Originally Posted by proxess
just use VLC and all is solved. gtkpod kicks itunes ass.
Saying just use XXX isn't exactly a viable solution for the millions upon millions of people that use iTunes, iPods, iPhones etc etc.

When he also suggests an IPod management program (gtkpod), your point becomes seriously redundant.

Back in the day, yeah you could get away with a third party program to update your iPod. But these days is that really the best choice? It's not longer about music and playlists, but games, calendars, contacts, notes, etc etc. The whole point of iTunes, iPods and iPhones, is that they just work (or not as in this case). You have software and hardware beautifully tailored to suit each other to a t.

What's so bad about that, that you'd prefer to choose another piece of software over what is the accepted norm in 98% of the case?
Quote p3n 20th September 2008, 14:51
All of these 'possible' code execution exploits really need some form of planetary alignment worth of probabilities right? What a load of PR circle jerking... remember 'that' flaw with core 2's?
Quote Gareth Halfacree 20th September 2008, 15:03
Quote:
Originally Posted by p3n
All of these 'possible' code execution exploits really need some form of planetary alignment worth of probabilities right? What a load of PR circle jerking... remember 'that' flaw with core 2's?
Nup. See the exploit linked to from the article. It's trivial to exploit, but requires user interaction (visiting a website hosting the code, or opening a malicious QuickTime file).
Quote will. 20th September 2008, 15:48
Quote:
Originally Posted by rhuitron
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

Oh god. Sorry, But really, I told you guys when the first update came out.
Your problem doesn't exist in the Program. Jus the fact that you actually own a product from this crappy company!

What a stupid thing to say.
Quote Nexxo 21st September 2008, 10:28
Quote:
Originally Posted by rhuitron
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

Oh god. Sorry, But really, I told you guys when the first update came out.
Your problem doesn't exist in the Program. Jus the fact that you actually own a product from this crappy company!

Really? And what miraculous PC and software do you use, oh wise one, that makes you invulnerable to crashes and security flaws?

Give me a break. Every platform and program has its flaws. It's better to know about them than to live with a delusional sense of safety. Ignorance is not only bliss, it makes you look like an idiot too.
Quote dragontail 22nd September 2008, 10:06
Quote:
Originally Posted by rhuitron
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

Oh god. Sorry, But really, I told you guys when the first update came out.
Your problem doesn't exist in the Program. Jus the fact that you actually own a product from this crappy company!
Wow. Just wow. You stated a claim without backing it whatsoever. Nevertheless, I'm interested to see what you can come up with (if you even bother). It's always mildly intriguing to see what sort of tosh complete imbeciles can come up with these days.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.