The Discovery of Critical Security Flaws in Apple's Applications

EEye Digital Security announced the discovery of four critical security vulnerabilities related to Apple Computer and the company's QuickTime software, as well as the download application for its iTunes music store. These flaws have the potential to inflict serious damage, as they allow an attacker to take complete control of an affected system and execute harmful action remotely, including installing programs, viewing, changing or deleting data.

Enterprise networks are particularly vulnerable and organizations should take immediate action to identify affected machines, as the likelihood that the immensely popular QuickTime and iTunes applications are installed on their network is extremely high. To give an indication of the scope of this issue, the iTunes music download service has distributed 850 million songs since its introduction and is often used in conjunction with the equally popular iPod personal music system, of which 42 million have been sold since the device's inception.

eEye strongly recommends that IT departments implement tools to enforce security policies that properly manage the installation of potentially vulnerable applications such as iTunes and QuickTime. Those organizations that are utilizing eEye's Retina Network Security Scanner can immediately scan for affected systems running these applications. Organizations that have deployed the Blink Endpoint Intrusion Prevention System have been protected against these vulnerabilities since their discovery several months ago and can postpone patching to regularly scheduled maintenance cycles. Unlike signature-based technologies, such as anti-virus or behavior-based solutions, current Blink customers aren't required to do anything to realize protection from this flaw, as no updates or policy changes are required. For those interested in protecting corporate systems with Blink, an evaluation version is available for download on eEye's website:

Although these security flaws were initially found in the QuickTime application, because the popular iTunes application is so closely integrated with QuickTime, all of these security issues are also exploitable via the iTunes software. All systems running Windows 2000, Windows XP and Apple Mac OS X are vulnerable to these issues. Apple has released a solution to these issues in the form of a new version of the QuickTime player software - QuickTime 7.0.4. Additional information on all of the security flaws announced by Apple yesterday can be found here:

write your comments about the article :: 2006 Computing News :: home page