Apple Adds iPad & iBooks Support to iTunes 9.1.0, Five Security Fixes

| Product News

Apple updated iTunes to version 9.1.0 Tuesday, an update that adds support for iPad synching and iBooks organizing and synching to the software. The update also includes five security patches for Mac OS X 10.4 Tiger, Windows XP, Windows 7, and Windows Vista in a continuation of Apple’s onslaught on security holes in its software.

You can download the software through Software Update (102.1MB download in Snow Leopard), or through the Apple Updater in Windows.

The patch notes from Software Update:

  • Sync with iPad to enjoy your favorite music, movies, TV shows, books and more on the go
  • Organize and sync books you’ve downloaded from iBooks on iPad or added to your iTunes library
  • Rename, rearrange, or remove Genius Mixes

The security patch notes:

  • ColorSync
    CVE-ID: CVE-2010-0040
    Available for: Windows 7, Vista, XP
    Impact: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution
    Description: An integer overflow, that could result in a heap buffer overflow, exists in the handling of images with an embedded color profile. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution. The isssue is addressed by performing additional validation of color profiles. This issue does not affect Mac OS X systems. Credit to Sebastien Renaud of VUPEN Vulnerability Research Team for reporting this issue.
  • ImageIO
    CVE-ID: CVE-2009-2285
    Available for: Windows 7, Vista, XP
    Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
    Description: A buffer underflow exists in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2010-001.
  • ImageIO
    CVE-ID: CVE-2010-0041
    Available for: Windows 7, Vista, XP
    Impact: Visiting a maliciously crafted website may result in sending data from Safari’s memory to the website
    Description: An uninitialized memory access issue exists in ImageIO’s handling of BMP images. Visiting a maliciously crafted website may result in sending data from Safari’s memory to the website. This issue is addressed through improved memory handling and additional validation of BMP images. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2010-002. Credit to Matthew ‘j00ru’ Jurczyk of Hispasec for reporting this issue.
  • ImageIO
    CVE-ID: CVE-2010-0042
    Available for: Windows 7, Vista, XP
    Impact: Visiting a maliciously crafted website may result in sending data from Safari’s memory to the website
    Description: An uninitialized memory access issue exists in ImageIO’s handling of TIFF images. Visiting a maliciously crafted website may result in sending data from Safari’s memory to the website. This issue is addressed through improved memory handling and additional validation of TIFF images. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2010-002. Credit to Matthew ‘j00ru’ Jurczyk of Hispasec for reporting this issue.
  • ImageIO
    CVE-ID: CVE-2010-0043
    Available for: Windows 7, Vista, XP
    Impact: Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
    Description: A memory corruption issue exists in the handling of TIFF images. Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.3. This issue does not affect systems prior to Mac OS X v10.6. Credit to Gus Mueller of Flying Meat for reporting this issue.
  • iTunes
    CVE-ID: CVE-2010-0531
    Available for: Mac OS X v10.4.11 or later,
    Mac OS X Server v10.4.11 or later, Windows 7, Vista, XP
    Impact: Importing a maliciously crafted MP4 file may lead to a denial of service
    Description: An infinite loop issue exists in the handling of MP4 files.A maliciously crafted podcast may be able to cause an infinite loop in iTunes, and prevent its operation even after it is relaunched. This issue is addressed through improved validation of MP4 files. Credit to Sojeong Hong of Sourcefire VRT for reporting this issue.
  • iTunes
    CVE-ID: CVE-2010-0532
    Available for: Windows 7, Vista, XP
    Impact: A local user may be able to obtain system privileges during iTunes installation
    Description: A privilege escalation issue exists in the iTunes for Windows installation package. During the installation process, a race condition may allow a local user to modify a file that is then executed with system privileges. The issue is addressed through improved access controls for installation files. This issue does not affect Mac OS X systems. Credit to Jason Geffner of NGSSoftware for reporting this issue.

No Comments

Log-in to comment