iTunes 10.5 fixes security holes on Windows
Apple has released version 10.5 of its popular iTunes media player software, a major update that adds new features and addresses a number of security vulnerabilities. According to the company, a total of 79 holes have been closed in the Windows version of iTunes.
Version 10.5 corrects 73 memory corruption problems in the WebKit browser engine used by iTunes; these could lead either to application termination or arbitrary code execution via a man-in-the-middle attack while browsing the iTunes Store. Other fixes correct unexpected application termination or arbitrary code execution bugs in CoreFoundation, ColorSync, CoreAudio, CoreMedia and ImageIO.
The Mac OS X version of iTunes 10.5 does not include any security fixes. These problems will be addressed in an upcoming Mac OS X 10.7.2 update and in Security Update 2011-006 for Mac OS X 10.6 systems. It appears that users running Mac OS X 10.5 or earlier will be left unprotected from these problems.
In addition to security fixes, iTunes 10.5 adds support for the upcoming iOS 5 release, wireless syncing of devices and iCloud. While QuickTime is no longer included or required to use the Windows version of iTunes, Apple says that it may still be needed for older media files and it can be installed seperately.
More details about the update, including a full list of security fixes, can be found in the security mailing list announcement. Version 10.5 of iTunes is available to download for Windows (32- and 64-bit) and Mac OS X 10.5 or later. Alternatively, Mac OS X users can upgrade to the latest release via the built-in Software Update function. All users are advised to upgrade as soon as possible.
- About the security content of iTunes 10.5, security advisory from Apple.