iTunes security vulnerability had been present for over three years
Apple had been aware of a vulnerability in the iTunes update system, fixed in version 10.5.1 released in mid-November 2011, for more than three years. According to security expert Brian Krebs, who has seen email correspondence between the two parties, security researcher Francisco Amato informed Apple of the problem in summer 2008.
Prior to iTunes version 10.5.1, the integrated update was carried out via an unencrypted HTTP query and permitted an attacker who had control of the user's network to make his own software look like a legitimate iTunes update and, where Apple's Software Update application was not present, open the HTTP response in a standard browser. The company behind "FinFisher" advertised the vulnerability as a means of installing its spyware application on target systems.
It is not clear why Apple took more than 1200 days to fix the problem – the company has yet to comment on the issue. Amato believes that Apple must either have forgotten about the problem or have placed it at the end of its to-do list, since it was only exploitable in the Windows version of iTunes. Under Mac OS X, the result of the update query is not displayed in the user's browser, as the software update system is integrated into the operating system. According to Apple, the same changes made in iTunes 10.5.1 on the Mac "add additional defense-in-depth".