Killer Playlist Could Hijack iTunes
CREDIT: Apple Inc.
Your iTunes player may have it out for you, especially if you've been lazy in updating your software.
Security researchers have discovered a flaw in the ubiquitous Apple music player that could enable attackers to take over and run arbitrary code on targeted machines, SC Magazine reported.
The iTunes flaw is "due to a boundary error in the processing of a playlist file," the security firm Zero Science Lab explained, and is exploited when an attacker tricks the victim into opening a rigged M3U file.
M3U is a plain text file format that specifies the location of media files, and is used to store multimedia playlists. The security flaw was discovered in iTunes version 10.6.0.40 and was present in the next version, 10.6.1.7.
Zero Science Labs tested the flaw on Windows XP and Windows 7, but an Apple security bulletin implied that Macs were affected as well.
On June 11, Apple updated iTunes to version 10.6.3 to address the problem. In the same way unpatched Internet Explorer users are currently at risk, if you haven't patched your iTunes software since the new version was shipped, you could still be vulnerable to the exploit.