Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: iTunes < 6.0.5 vulnerability & patch released - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
iTunes < 6.0.5 vulnerability & patch released
Apple has released an update for iTunes that fixes an integer overflow in the AAC file parsing that can lead to code execution. Y'all want to get this one patched and updated.

http://docs.info.apple.com/article.html?artnum=61798
APPLE-SA-2006-06-29 iTunes 6.0.5

iTunes 6.0.5 is now available and, in addition to its other content,
fixes the following security issue:

CVE-ID:  CVE-2006-1467
Available for:  Mac OS X v10.2.8 or later, Windows XP / 2000
Impact:  An integer overflow in iTunes could cause a denial of
service or lead to the execution of arbitrary code
Description:  The AAC file parsing code in iTunes versions prior
to 6.0.5 contains an integer overflow vulnerability. Parsing a
maliciously-crafted AAC file could cause iTunes to terminate or
potentially execute arbitrary code. iTunes 6.0.5 addresses this
issue by improving the validation checks used when loading AAC
files. Credit to ATmaCA working with TippingPoint and the Zero Day
Initiative for reporting this issue.


Toby

68 Posts

Sign Up for Free or Log In to start participating in the conversation!