14 DAY TRIAL // Apple realized that the latest iTunes had a lot of bugs that could allow a hacker to do some damage so they released the 10.5 variant of the application to fix all the weaknesses. Unfortunately, OSX users will only benefit from the new features, while the security patches will be available in the future version of the operating systems.
Each improvement made by a company to its products will automatically attract new security issues and in this case, there weren't just a few. CoreFoundation, ColorSync, CoreAudio, CoreMedia, ImageIO and WebKit, all had their share of weak points, some of which might be exploited to perform man-in-the-middle attacks.
The CoreFoundation presented a memory corruption issue in the handling of string tokenization that could have easily led to a man-in-the-middle intervention in which the cyber mastermind had the opportunity to execute a malevolent arbitrary code.
The color management API was exposed to a heap buffer overflow which may have come from an integer overflow in the process of image handling with an embedded profile. This also could have led to an arbitrary code execution or a sudden application crash.
CoreAudio issues, that were discovered by Luigi Auriemma in collaboration with Zero Day Initiative, was susceptible to the same problems if malicious audio content was to be played in iTunes.
By viewing a TIFF image created by a hacker, the same effects were plausible due to a heap buffer overflow that affected the handling of these images.
Finally, over 70 of the vulnerabilities affected WebKit, which because of multiple memory corruption issues, would give access to a cybervillain to perform a man-in-the-middle attack while the customer was browsing the iTunes Store via iTunes.
As users of OS X 10.5 and earlier will be left unprotected for the time being, they are recommended to deploy proper third-party security solutions that will prevent any potential unfortunate incidents. iTunes 10.5 for Windows is available for download here iTunes 10.5 for Mac is available for download here