Skip to main content
April 26, 2007

Raise Your Hand If You Use iTunes

Because if you do, you've probably installed QuickTime without realizing it. Why is this relevant? Well, if you've been in a cave for the last week, you may not have heard about the Quicktime/Java vulnerability discovered during the CanSecWest conference, which happens to affect just about anyone with those two applications installed. If you try to uninstall QuickTime, it'll happily oblige, but then iTunes won't work anymore. So it boils down to two options: Either disable Java, or find another MP3 player for the time being (unless you bought a bunch of DRM-protected music from iTunes, in which case you're locked in).

As reported by SC Magazine today:

"Essentially, it’s a click-and-you’re-owned vulnerability, so clicking on a URL out of an email or a website that has malicious content [could lead to exploitation]," she said. "If you look at the Microsoft advisories in dealing with IE vulnerabilities, the same sort of common sense applies here."

In a post today on the Matasano Security blog, Thomas Ptacek delivered a dire warning about the flaw, but did not confirm a public exploit.

"There are a lot of things we’ve learned in the past couple of days that lead us to believe that the QuickTime hole is going to cause real (read: Mom’s bank account) problems," he said.

Incidentally, Apple recently announced that they have sold over 100 million iPods. That translates to a lot of vulnerable computers. And that's not even including all the people who use iTunes without actually owning an iPod.

From TippingPoint's perspective, talk about getting your $10,000 worth. This is huge, and since they own the rights to the information, so they can milk the limelight as long as they want.

Here's a glimpse at how the fun began:

K2 MacBook

Shane Macaulay shortly after claiming the prize for the "Pwn To Own" contest
(Photo credit: dmuz)


Related Content

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.