Yesterday, Apple released an updated version of their popular media player and mobile syncing software, iTunes 10.7. The update adds new features (like support for upcoming iOS 6) and fixes security vulnerabilities.
I must admit, I pretty much ignored Apple’s email about this update at first. After all, iTunes is a media player. Not really your typical business critical software, and not something I see attackers target very often. That said, it’s important to update all of your software, so I took a peek at Apple’s alert.
Wow!
According to Apple’s security bulletin, iTunes 10.7 fixes over 160 different vulnerabilities. I don’t think I’ve ever seen a security update list so many CVE numbers for one patch.
Apple’s alert doesn’t describe these flaws in any detail, probably because there are just too many to cover. However, they do characterize the majority of the flaws as memory corruption issues in Webkit. Hackers typically exploit memory corruption flaws to either crash a program or execute code on your computer with your privileges. The only question that remains is how attackers might trigger these iTunes vulnerabilities. Apple doesn’t say, but based on past iTunes issues, I suspect that if an attacker can entice you to a special URL within iTunes, or can trick you into running a maliciously crafted media file, they could exploit many of these flaws to execute code on your computer, potentially gaining complete control of it (depending on your privileges).
In short, if you use iTunes on any platform, you should download and install 10.7 as soon as possible. — Corey Nachreiner, CISSP (@SecAdept)