Apple Patches iTunes MPEG Decoding Flaw

Apple Computer Inc. has debuted version 4.8 of its iTunes music-playing application, which adds support for a few new features and fixes a serious security vulnerability.

The update is Apple's third serious security fix in as many weeks, following a combined update last week repairing 20 bugs, and an April patch for OS X and the Safari browser. All three have included vulnerabilities that could allow an Internet attacker to take over a system.

The iTunes flaw, affecting versions of the software up to 4.8, involves the way the application parses MPEG-4 files, such as the AAC (Advanced Audio Coding) files sold on the iTunes Music Store. A buffer overflow could be exploited by malicious MPEG-4 files to cause iTunes to crash or execute malicious code. The flaw was discovered by NGS Software, according to Apple's advisory.

The new iTunes version fixes the problem by improving the validation checks used when loading MPEG-4 files, Apple officials said. Independent security firm Secunia gave the flaw a "highly critical" rating. iTunes has become widespread on enterprise and home desktops due to the success of Apple's iPod music player, which uses iTunes as its interface on Windows and Mac OS X.

Read the full story: Apple Patches iTunes MPEG Decoding Flaw.

Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in ExtremeTech.