The Mac Security Blog
Apple has released iTunes 10.5.1, the latest version of the company’s media management software, which notably includes the company’s new iTunes Match cloud music service. This update contains one minor security fix, described as follows:
Impact: A man-in-the-middle attacker may offer software that appears to originate from Apple
Description: iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user’s default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user’s default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth.
As the description points out, this isn’t a serious issue for Mac users, but Apple is fixing it for them anyway, as there’s always the possibility that someone could create a fake program that looks like Apple’s Software Update.
You can download this new version of iTunes from, of course, Software Update, or from Apple’s iTunes download page.
Some 50,000 stolen iTunes accounts are for sale on a Chinese auction site, according to the BBC. TaoBao, a popular Chinese auction site lists stolen iTunes sites, and sells them for “temporary access to unlimited downloads from the service for as little as 1 yuan (10p) a time.” Listings tell users that they are likely to only be able to access the accounts for 12 hours before they are shut down.
Most likely, the account information was not obtained by hacking into Apple’s servers, but rather by phishing or Trojan horses. Once an Apple ID (used for an iTunes Store account) and its password have been obtained, the possessor of the information will be able to buy any type of content on the iTunes Store as long as the account has credit, or is set up with a credit card. Most likely, the accounts get shut down once irregular activity is seen, hence the 12 hours that the sellers suggest the buyers will have to make purchases.
A French site reports today that phishing attempts are being made via iChat. In the example they show, the phishing page asks for an Apple ID and password, and this information could be used to access an iTunes Store account as well.
For all of these reasons, users should protect themselves against phishing and malicious websites (using the powerful features in Intego VirusBarrier X6), and should keep a close watch on their credit card statements. If they find unexpected charges, they should immediately change the password for their Apple ID, and then follow up with Apple and their credit card company.
Apple has released a security update to iTunes, which is now version 9.2.1. While the security content of this update is described as being Windows-only (“A buffer overflow exists in the handling of “itpc:” URLs. Accessing a maliciously crafted “itpc:” URL may lead to an unexpected application termination or arbitrary code execution,”) the Mac version has been updated as well, with a number of bug fixes.
Mac users can install the update using Software Update, or by visiting the iTunes download page.
Right after releasing a major system update with the largest number of security fixes ever, Apple has released two other updates which contain security fixes.
iTunes 9.1, released in advance of the iPad, which will be available this Saturday, fixes seven bugs, but only one for Mac OS X (the others are for Windows). This update, for Mac OS X 10.4.11 or later, is available for download via Software Update, or from Apple’s iTunes download page. It’s about 93 MB. Full information about the security fixes is available here.
As for the QuickTime update, it fixes 16 bugs, and is available for Mac OS X 10.4 and 10.5 The fixes it contains were in the Mac OS X 10.6.3 update that was released on Monday. It, too, is available via Software Update, or from Apple’s Downloads page, and full information is available here. It’s a 69 MB download.