14 DAY TRIAL // Apple has released iTunes 9.2.1, an update which addresses a critical arbitrary code execution vulnerability. The flaw affects both the Mac and Windows versions of the application and can be exploited by an attacker via a specially crafted itpc: link to compromise a system remotely.
According to Danish vulnerability intelligence vendor Secunia, the vulnerability, identified as CVE-2010-1777, is caused by a boundary error in how the application handles certain "itpc:" links. An attacker can craft a special URI and trick users into accessing it. Successful exploitation would result in a buffer overflow condition that would cause the application to crash and allow the attacker to execute arbitrary code.
“Accessing a maliciously crafted 'itpc:' URL may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking,” the corresponding Apple advisory reads. Security researcher Clint Ruoho from Colorado-based Laconic Security.
The ITPC, an acronym for iTunes Podcast, is a pseudo-protocol that can be used to publish podcasts that are intended to be opened with Apple's application. In reality itpc: is just a trigger and iTunes actually accesses these podcasts over HTTP. Except iTunes, the number of applications which implemented an itpc: handler is very small.
Bugs such as these, affecting URI handling procedures, are very dangerous, because they can be easily exploited without requiring too much technical knowledge. Considering iTunes' huge user base, due to the extremely high popularity of iPods, iPhones and iPads, such vulnerabilities open the posibility of mass attacks.
A similar flaw in how Windows XP processes hcp: (Help and Support Center) URIs was disclosed at the beginning of last month as a zero-day. It was quickly adoped by hackers in the following days and used with a high level of success in both drive-by-download and targeted attacks.
iTunes 9.2.1 for Windows can be downloaded from here.
iTunes 9.2.1 for Mac can be downloaded from here.
Users are strongly advised to upgrade immediately.
You can follow the editor on Twitter @lconstantin