Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: iTunes < 6.0.5 vulnerability & patch released SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
iTunes < 6.0.5 vulnerability & patch released
Apple has released an update for iTunes that fixes an integer overflow in the AAC file parsing that can lead to code execution. Y'all want to get this one patched and updated.
APPLE-SA-2006-06-29 iTunes 6.0.5

iTunes 6.0.5 is now available and, in addition to its other content,
fixes the following security issue:

CVE-ID:  CVE-2006-1467
Available for:  Mac OS X v10.2.8 or later, Windows XP / 2000
Impact:  An integer overflow in iTunes could cause a denial of
service or lead to the execution of arbitrary code
Description:  The AAC file parsing code in iTunes versions prior
to 6.0.5 contains an integer overflow vulnerability. Parsing a
maliciously-crafted AAC file could cause iTunes to terminate or
potentially execute arbitrary code. iTunes 6.0.5 addresses this
issue by improving the validation checks used when loading AAC
files. Credit to ATmaCA working with TippingPoint and the Zero Day
Initiative for reporting this issue.


68 Posts
Jun 29th 2006

Sign Up for Free or Log In to start participating in the conversation!