Apple iTunes Security Flaw Discovered?

brajesh writes "CNET News.com is reporting that a critical vulnerability has been found in some versions of Apple's popular iTunes that could allow attackers to remotely take over a user's computer, according to a warning issued by eEye Digital Security, a security research firm. The latest iTunes flaw affects all operating systems from Windows XP to Mac OS X, according to the advisory. The discovery of this latest flaw comes days after Apple issued its iTunes 6 for Windows security update."

So what? And what do we know about this exploit?

[daveschroeder (516195)]

Nothing yet, since details of the flaw won't be released by eEye until a patch is released by Apple.

If someone is wondering "should I be worried", the answer is no; exploits of this nature are usually still theoretical and not being exploited en masse "in the wild". Many of these exploits are explicitly discovered by the security organizations who have released the advisories themselves and are often not necessarily representative of any actual exploit being applied maliciously: the idea is to catch security vulnerabilities before they are actually used maliciously. Further, the exploit in question probably requires the user to specifically visit a malicious web site (other than a port open via Rende..., er I mean, Bonjour, when iTunes Sharing is enabled, I don't know of any other avenue to exploit iTunes). The exploit must, therefore, pass a url and/or file to iTunes, and therefore would very likely require visiting a malicious web site.

We don't know the details of the exploit, I can still say with it's extremely likely that it is not something that would be able to spontaneously occur simply by using iTunes in a normal fashion.

This story would more accurately be:

"Some unknown and unannounced flaw found in a piece of software; fix coming from software vendor"

Is this news?

(And it's amusing that if you buy a commercial product [eeye.com] from the vendor issuing the vulnerability, you'll be protected! Not a rip on eEye, who has discovered a good deal of vulnerabilities, but it's not as if many of these security entities themselves don't have an interest in finding "vulnerabilities", no matter how nebulous or unlikely.)

Re:So what? And what do we know about this exploit

[pudge (3605)]

We don't know the details of the exploit, I can still say with it's extremely likely that it is not something that would be able to spontaneously occur simply by using iTunes in a normal fashion.

I can still say it's extremely likely that there is no exploit or flaw at all. Why would anyone believe it? There's no evidence of any kind that any exploit or flaw exists, at all.

This story would more accurately be: "Some unknown and unannounced flaw found in a piece of software; fix coming from software vendor"

Close, but more accurate still would be: "Some security company trying to drum up business for itself says its product will protect users from a flaw they claim exists, but offer no details or evidence for."

Re:So what? And what do we know about this exploit

[daveschroeder (516195)]

In fairness, eEye has discovered legitimate vulnerabilities that Apple has actually included in OS and security updates.

However, I do agree with you.

And further, it's impossible for this to a "remote execute" vulnerability like the stories based on the extremely vague advisory make it out to be: you can't even talk to iTunes remotely when it's running (unless you have iTunes Sharing enabled, which is available on your local subnet). Therefore, as I've said in another post, this vulnerability *must* be exploited via visiting a malicious web site, which then passes a url and/or file to iTunes. Period. That's the only way this could happen. It's not just something where if you run iTunes, all of a sudden you're vulnerable. Bravo to the way they've positioned it though. They probably floated out some media releases, too. I especially like the last line of the advisory:

Protection: Blink Endpoint Vulnerability Prevention mitigates any potential exploitation of this vulnerability, without requiring a patch or invasive firewall actions.

And, for what it's worth, eEye will release the "details", whatever they are, after Apple has patched whatever the issue is.

Re:So what? And what do we know about this exploit

[pudge (3605)]

And further, it's impossible for this to a "remote execute" vulnerability like the stories based on the extremely vague advisory make it out to be: you can't even talk to iTunes remotely when it's running (unless you have iTunes Sharing enabled, which is available on your local subnet).

Well, not impossible. Go to System Preferences -> Sharing -> Remote Apple Events. Turn it on. Now someone can do pretty much what they want with your system. If they have a valid username/password (or you turned on the Mac OS 9 password ... which wouldn't be a security flaw, but part of the design).

I could, for example, do something like:

glue Finder '$g->ADDRESS(eppc => Finder => "your.machine.example.com"); $g->obj(item => 1)->delete'

That would be mean and cruel. And it works over the Internet. And it would also require me to have a username and password on your machine.

And, for what it's worth, eEye will release the "details", whatever they are, after Apple has patched whatever the issue is.

And if they do, I will care at that time. It's the height of irresponsibility to release details in this way. The only point is to scare people into buying their product. And therefore I consider it, until actual details emerge, a malicious hoax.

Re:So what? And what do we know about this exploit

[shawb (16347)]

Why would people believe it? Most likely because the company wouldn't want to be sued for libel [wikipedia.org] by Apple.

Re:So what? And what do we know about this exploit

[Justin_Schuh (322319)]

iTunes has a lot more attack surface than than just file sharing via Bonjour. There's the potential for privelege escalation or remote exploit via the iPod service that comes with it. I agree that playing the disclosure game does encourage security companies to release hazy vulnerabilities reports early and often. But dismissing a security threats is generally not a good idea either.

Re:So what? And what do we know about this exploit

[misleb (129952)]

Of course, then you have to wonder how many of these vulnerabilities are discovered by Black Hats and never release information. Black Hats are probably sitting on hundreds of otherwise undiscovered exploits. There is no reason to believe that only "security organizations" can find exploits like this.

-matthew

Inconceivable!

[stupidfoo (836212)]

A security flaw in an Apple product? That's inconceivable!

Re:Inconceivable!

[paranode (671698)]

The latest iTunes flaw affects all operating systems from Windows XP to Mac OS X

And here I thought I would avoid these problems with BeOS.

Re:Inconceivable!

[paranode (671698)]

You better shut your iHole!

Does not affect Mac OS X

[Raffaello (230287)]

The advisory has been corrected.

After eEye mistakenly posted a note on its Web site saying the iTunes flaw affected "all operating systems," the security firm updated its warning to indicate that the flaw had been found only on the Windows operating system so far.

from the corrected advisory:

Operating Systems Affected:
All Microsoft Operatins Systems

No other OSes listed, just MS. So Mac OS X is not known to be affected.

So

[voice_of_all_reason (926702)]

I just tried to get quicktime today, and now it comes with mandatory itunes.

(insert wah-wah-wah-waaaaaah sound)

What is it with companies shooting themselves in the foot this week?

quicktime standalone

[ubergrits (885297)]

You can get it without iTunes from here: http://www.apple.com/quicktime/download/standalone .html [apple.com]

Um...

[daveschroeder (516195)]

Just having iTunes doesn't mean you're automagically vulnerable to whatever this still-unannounced exploit is. And I can say that with surety without even knowing what this "exploit" actually is. And further, iTunes isn't "mandatory" (even though this is repeated ad nauseum):

QuickTime 7 standalone installer [apple.com], linked right from the download page as "QuickTime Standalone Installer"

Interesting

[andrewman327 (635952)]

iTunes is interesting. It's network streaming music feature has been cracked over and over again, as any college student knows. I'm not surprised that someone figured out how to do more malicious things.

Wow. No Kidding.

[IAmTheDave (746256)]

Wow. Software has flaw allowing remote hackery. This seems to be pretty typical of just about any piece of software written these days (or any days.)

I guess the question is, do we measure a company and its software by its base security, or by how quickly it responds to a discovered threat? I'm personally inclined to lean towards the second.

Re:Wow. No Kidding.

[Xarius (691264)]

Wow. Software has flaw allowing remote hackery. This seems to be pretty typical of just about any piece of software written these days (or any days.)

Except for the thousands of software applications that don't have network functionality! ;)

Re:Wow. No Kidding.

[Daniel_Staal (609844)]

I guess the question is, do we measure a company and its software by its base security, or by how quickly it responds to a discovered threat? I'm personally inclined to lean towards the second.

Both, of course. The first shows how good they are at actually designing and creating software, and the second shows how much they listen to their users/their lawyers/the press. (Take your pick.)

Not "remote executable" in those terms

[daveschroeder (516195)]

I highly, highly doubt this is a "remote execute" bug. You can't even talk to iTunes remotely when it's running (unless you have iTunes Sharing running, which is a port available on your local subnet).

Therefore, this vulnerability must represent visiting a malicious web site, which then passes a url and/or file to iTunes. It is NOT a direct, remote execution vulnerability with iTunes itself.

Only as root

[by Anonymous Coward]

What TFA doesn't point out is that this will only affect OS X users if you're logged in as root.

How's that?

[jfengel (409917)]

I don't know the details of the situation, but there are plenty of things an exploit can do even without root: delete or read your files, open up a spam relay, perhaps even log your keystrokes. Is there something special about the nature of this flaw that it can't be exploited at all without root access?

Re:Only as root

[Yahweh Doesn't Exist (906833)]

also note (for non Mac OSX users) that root login is disabled by default.

in my life I've only ever logged in as root on a Mac once. just to see what it was like.

Re:Only as root

[Morgalyn (605015)]

A beam of glittering gold light came down on the keys, even though I had a roof over my head, and I heard this beautiful chorus of voices...

And The Score Is...

[RapidEye (322253)]

Apple Hackers: 1
Linux Hackers: 2
Windows Hackers: 134,443,229

You guys still got a ways to go... =-)

Be funnier if...

[by Anonymous Coward]

Apple Hackers: 1
Linux Hackers: 2
Windows Hackers: Buffer Overflow

Attack vector?

[J0nne (924579)]

Well, that's not a lot of info.
All they say is: 'it's vulnerable! run for the hills!'.

I don't use iTunes, so I don't really care, but what's the vector? Is it a malformed MP3/AAC file? Does iTunes run as a service that listens to a certain port, and can it be attacked through there (probably not likely, as I don't see why a music player should be listening to some port)?

This lacks information, and you really can't do anything to protect yourself if you don't know how the hell the exploit works...

Vulnerable Operating Systems

[xWastedMindx (636296)]

Operating Systems Affected:
All Microsoft Operatins Systems no where does this advisory say that OSX is affected, or any other operating system for that matter. This is Windows-Only, as usual.

Re:Vulnerable Operating Systems

[brajesh (847246)]

eEye has modified the security advisory page within last few hours. my personal GDS cache still shows the flaw affecting all operating systems, as it was when I submitted the story.

you're right, only Microsoft Operatins Systems

[digitaldc (879047)]

Where are the spelling nazis when you need them?

I don't own an iPod, but I still have iTunes

[Fox_1 (128616)]

It's annoying the way that Quicktime installs iTunes software on your machine, and buries it in registry so that it starts every time windows does. If you are looking to just have quicktime I would advise you to try an alternative or download the standalone from here [apple.com].

Re:I don't own an iPod, but I still have iTunes

[Phroggy (441)]

If you already have QuickTime installed, it should certainly be possible to download and install iTunes without QuickTime attached (but I don't think Apple makes this available for Windows; they do for Mac). However, iTunes definitely won't work without QuickTime. As another poster mentioned, iTunes uses QuickTime for media playback (which is why if you want to play Ogg Vorbis files in iTunes, the plugin you need is a QuickTime plugin which will work with all apps that use QuickTime including iTunes). However, QuickTime for Windows also includes a significant chunk of the Carbon API, which iTunes was written for. On Mac OS X (and Mac OS 8.5 and up with CarbonLib installed), the Carbon API is provided by the operating system (alongside the Cocoa API on OSX), but on Windows, without QuickTime there's no Carbon and without Carbon there's no iTunes.

Why does QuickTime include (parts of) Carbon? Because it was easier to port a chunk of Carbon (or rather, the Macintosh Toolbox, which is what Carbon grew from) to Windows than to rewrite QuickTime to use the Win32 API.

from TFA

[circusboy (580130)]

This may allow a malicious user on the local system to create an environment where an alternate program will be executed by iTunes.

Emphasis mine.

It would seem that remote attacks not possible unless the attacker had direct access to the machine in question first.

Re:from TFA

[ZachPruckowski (918562)]

Crazy idea: They aren't talking about OurTunes, are they? The program that lets people swipe music out of other users' shared libraries? I mean, that's limited to "local networks", right?

critical vulnerability of the week

[digitaldc (879047)]

This new critical vulnerability was discovered when it was found that someone turned their computer to 'ON' thereby leaving it vulnerable to crackers, hackers, script kiddies and bots. The fact that a human was operating the PC deemed it especially 'critical.'

Where does it say it effects OS X?

[Alpha_Traveller (685367)]

The article says it effects Mac OS X as well as windows, and says the security warning says that too, but:

"Operating Systems Affected:
All Microsoft Operatins Systems"

No mention of anything other than Microsoft OS'es in the provided link to the advisory.

Vector Speculation

[frankie (91710)]

With nothing more to go on than a couple vague sentences from eEye, here's my guess:

One major thing that make iTunes different from other music player apps is the Music Store integration, which operates as a limited web browser. On OSX it calls WebKit; on Windows either Apple built a custom minibrower or it calls Explorer. Does anyone know which, BTW?

In any case, this means that iTunes accepts URLs, specifically itms://[...]. It's also capable (on OSX at least) of launching your default browser and other URL helper apps. I'm guessing that Apple did a bad job validating input, and a malicious itms URL could trick iTunes into launching a remote file as if it were a helper app. Hence the local user context. If this is the case, simply viewing an evil web page (with the itms URL as a redirect/iframe/img/whatever) in most browsers should be sufficient to start the attack.

Hopefully someone will divulge the facts soon. Let's see if I'm even close.

Re:Vector Speculation

[squiggleslash (241428)]

I recall reading somewhere that iTunes actually uses QuickTime, there's no WebKit/HTML in iTunes.

On occasion, I've been bored enough to comb through my Squid proxy logs for precisely this kind of thing, and curl'd URLs to see exactly what it uses. It's some sort of XML system, but it's not HTML, and I don't see them rendering it with an HTML renderer.

It's possible the rest of your comment is true, though I'd assume this would make the hack more of a QuickTime-in-general issue rather than something limited to iTunes.

Ah, the old Macdonald exploit...

[g0at (135364)]

Is this a case of eEye E-I/O?

-b

Correction

[U2C (890363)]

": This story initially quoted an incorrect report on the eEye Digital Security Web site saying an iTunes security flaw affected both Windows and Mac operating systems. To clarify, eEye is still testing the flaw on the Mac OS."

Really severe vulnerability

[gnasher719 (869701)]

The way I understand this (from the one line in the CNet report), if you install malicious.exe on Windows or malicious.app on MacOS X, and then you go and rename malicious.exe to iTunes.exe or malicious.app to iTunes.app and then set up things in a certain way, it is possible that some code trying to launch iTunes would launch the malicious app, now called iTunes.

Be afraid. Be very afraid. The world is coming to an end.
 

eEye, eEye, Oh...

[Warlock7 (531656)]

...and sometimes, why bother?

Nothing to see here, move along. Sounds like this CRITICAL vulnerability isn't much of a vulnerability and isn't very critical...

Re:Awesome

[Braino420 (896819)]

And with the ml_ipod [winamp.com] plugin for winamp, you won't ever have to look back!

Re:Awesome

[geekoid (135745)]

Wow, you found a perfect and non-exploitable piece of saoftware.
Tell me, was it made by Pixies, or Fairies?

Re:Awesome

[kuzb (724081)]

no problem [winamp.com]

Re:AllofMP3

[Kenja (541830)]

Some of us dont like supporting the russian mafia. And remember, just because a forian government says artist dont have rights, does not mean you should agree. At least apple gives somthing back to the people who write and perform the music.

Re:AllofMP3

[avleeuwen (697047)]

Yeah, and everyone knows there are _never_ security flaws in web browsers.

Re:AllofMP3

[Llywelyn (531070)]

First. Please tell me, how is using allofmp3 different--morally or legally in the United States--from downloading the audio files from a P2P network?

Second, what divinatory powers are you using to find that the security hole somehow relates to the iTunes Music Store? I'm not saying that it isn't, but that information is nowhere to be found in the security bulletin and iTunes has more network features than just the ability to hook up to the iTMS.

Re:AllofMP3

[RzUpAnmsCwrds (262647)]

First. Please tell me, how is using allofmp3 different--morally or legally in the United States--from downloading the audio files from a P2P network?

It's easier, the files are higher-quality, and, at least in Russia, MediaServices has the rights to distribute the music that they are selling. Whether or not it is leagal for you to download those tracks has not been determined.


Second, what divinatory powers are you using to find that the security hole somehow relates to the iTunes Music Store? I'm not saying

Re:AllofMP3

[Deekin_Scalesinger (755062)]

By Jove, youre right!

celestina 11:21am /usr/home/celestina: w allofmp3.com

Organization:
OOO MediaServices
Ivan Fedorov
Planetnaya str. 29
Moscow, 125167
RU
Phone: +7 095 506-5258
Fax..: +7 095 50

Re:Bur, but..

[falcon5768 (629591)]

um no one ever said Macs where invunerable, infact many of us OS9ers remember the quicktime worm that made its self known from of all things a MacAddict CD. Its just compaired to windows we are a fractional percentage of as vulnerable as a windows machine is, which is practically saying we are invunerable.

Its basically like saying we are water resistant, while Win users are those cheap burger king watches that break by just being out on a humid day