WatchGuard Wire
Improve Your Security IQ
iTunes 9.2 fixes a cartload of Webkit vulnerabilities
11 June, 2010 -- Yesterday, Apple released a security update to fix
several
vulnerabilities in iTunes 9.1 (and earlier) running on Windows or
OS X computers. Specifically, the update corrects 38 security
issues (number based on CVE-IDs)
in the ImageIO, ColorSync, and Webkit, which are components that ship
with iTunes.
By far, most of the vulnerabilities are in Webkit, which is an
open source web browser engine that helps iTunes display web content
(like the web-based iTunes store). Apple's advisory doesn't share many
technical details about the numerous Webkit vulnerabilities. However, I
imagine that if an attacker can entice you to a specially crafted
website, he could exploit at least one of the flaws to execute code on
your computer, with your privileges. On Windows systems -- where uses
often have local administrative privileges -- the attacker could
potentially leverage this type of flaw to gain complete control of your
machine.
The remaining two issues lie the components iTunes uses to handle
images. Though the flaws differ technically, they share the same
impact. By enticing you to loading a specially crafted image in iTunes,
an attack can exploit either flaw to execute code you
computer, and in some cases, gain complete control of it.
If you use iTunes, the fix is simple; download and install iTunes 9.2 as soon as
possible. -- Corey
Nachreiner, CISSP
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
