In all the hoopla surrounding Apple's announcement of its revamped line of iPods on Wednesday, many users might have missed the company's update to iTunes, which includes a fix for a serious security flaw.

The update, which brings the consumer technology company's iTunes music software to version 7.4 [1], adds the ability to turn previously bought music into ringtones and the ability to buy songs wirelessly using the iPhone and network-capable iPods. The update also patches a serious security vulnerability that could allow a specially-crafted music file to crash or take control of a victim's Windows PC or Mac, the company stated in an advisory [2].

"A buffer overflow exists in iTunes when processing album cover art," the company stated. "By enticing a user to open a maliciously crafted music file, an attacker may trigger the overflow which may lead to an unexpected application termination or arbitrary code execution."

Apple has patched more than 100 vulnerabilities [3] in its Mac OS X operating system and applications this year. Many security researchers and hackers have begun to focus [4] on the consumer technology company's latest mobile device, the iPhone, which received it first patch [5] in July.

Apple credited iSEC Partners [6] with the discovery of the vulnerability.

A nod to ZDNet's Zero Day blog [7].

This article originally appeared in Security Focus [8].

Copyright © 2007, SecurityFocus [9]

Links

1. http://www.apple.com/itunes/download/
2. http://docs.info.apple.com/article.html?artnum=306404
3. http://www.securityfocus.com/brief/532
4. http://www.securityfocus.com/news/11478
5. http://www.securityfocus.com/brief/560
6. http://www.isecpartners.com/
7. http://blogs.zdnet.com/security/?p=496
8. http://www.securityfocus.com/brief/584
9. http://www.securityfocus.com/

Related stories

• Apple unleashes monster patch batch on Mac faithful (19 March 2008)

  http://www.channelregister.co.uk/2008/03/19/monster_apple_patch_batch/

• Leopard security bug puts Mail users at risk (20 November 2007)

  http://www.channelregister.co.uk/2007/11/20/leopard_reintroduces_security_vuln/

• Macrovision update plugs zero-day DRM exploit (6 November 2007)

  http://www.channelregister.co.uk/2007/11/06/macrovision_drm_update/

• IE + RealPlayer = Security hole (20 October 2007)

  http://www.channelregister.co.uk/2007/10/20/realplayer_vuln/

• iTunes battles Amazon with DRM-free price drop (17 October 2007)

  http://www.theregister.co.uk/2007/10/17/apple_itunes_plus/

• Doomwatchers sound Windows and IE vuln alarm (19 September 2007)

  http://www.channelregister.co.uk/2007/09/19/new_vulnerability_reports/

• Revolutionary label to focus on streaming as downloads falter (14 September 2007)

  http://www.theregister.co.uk/2007/09/14/magnatune_music_business_model/

• Apple ponders $9bn bid for wall-busting wireless iNetwork (10 September 2007)

  http://www.theregister.co.uk/2007/09/10/apple_considers_bid_for_700mhz_wireless_band/

• Walkman completes Sony conspiracy to hammer iTunes (7 September 2007)

  http://www.theregister.co.uk/2007/09/07/walkman_comeback/

• Apple slashes iPhone prices (6 September 2007)

  http://www.theregister.co.uk/2007/09/06/steve_jobs_and_apple_drop_iphone_price/

• Goggle box content comes to iTunes UK (29 August 2007)

  http://www.theregister.co.uk/2007/08/29/itunes_tv_uk/

• Real and MTV in joint bid to be crushed by iTunes (22 August 2007)

  http://www.theregister.co.uk/2007/08/22/real_and_mtv_merge_music_services/

• Will the iPhone be iPwned? (3 August 2007)

  http://www.channelregister.co.uk/2007/08/03/iphone_pwnage/

• Apple squeezes out iPhone update before Black Hat (1 August 2007)

  http://www.channelregister.co.uk/2007/08/01/first_iphone_security_update/