iTunes 10.5 Update Leaves Mac OS X Vulnerable

Although Apple has released separate versions of iTunes 10.5 for both Mac and Windows customers, only the Windows camp got security fixes, while Mac users have been left vulnerable until the company releases new updates.

Citing the SANS Internet Storm Center, Senior Security Advisor at Sophos, Chester Wisniewski, notes that “Apple will be releasing fixes for OS X users as part of the yet unreleased updates for 10.6 (Snow Leopard) and 10.7 (Lion).”

The security expert specifically notes that “Users of OS X 10.5 and earlier will be left unprotected.”

According to the security advisory dished out by Apple, it appears that at least some of the vulnerabilities patched on Windows have already seen their end on Mac OS X. However, the necessary updates containing the patches are not yet available for the Mac user-base.

For example, a bug sitting at the top of the list affecting CoreFoundation is documented as follows (emphasis mine):

CoreFoundation

Available for: Windows 7, Vista, XP SP2 or later.

Impact: A man-in-the-middle attack may lead to an unexpected application termination or arbitrary code execution.

Description: A memory corruption issue existed in the handling of string tokenization. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.

Security Update 2011-005 is the last security update released by Apple. Version 006 should be released later today, in tandem with Mac OS X 10.7.2.

A CoreMedia bug is similarly labeled as affecting Windows customers, as well as Mac OS X Snow Leopard users. While Snow Leopard users will have to patch this flaw using the aforementioned (upcoming) update, OS X Lion users will require Mac OS X 10.7.2.

“A buffer overflow existed in the handling of H.264 encoded movie files,” reads the description. “For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.”