Experts Warn: iTunes Flaw Puts Windows Users At Risk

Security researchers have found a new way to attack Windows: through Apple's very popular online media player and retailer iTunes. It involves a method of tricking the media player into performing a function that puts 40 different Windows applications at risk.

The vulnerability stems from an issue with iTunes prior to Apple's releasing of version 9.1. This issue was associated with what was called a "Remote Binary Planting" flaw discovered by Slovenian research firm Acros.

Security experts found that the vulnerability in the Windows version of iTunes allowed for local or remote hackers to deploy and then execute malicious code while posing as legitimate users logged into their accounts. (Source: Internetnews.com)

Apple's Fix Not Enough

Apple fixed the issue when it released version 9.1 of iTunes. However, that fix does not appear to have filled the hole affecting Windows users, which means these users are still vulnerable. According to security expert H.D. Moore, "this issue affects about 40 different apps, including the Windows shell".

If a hacker is able to convince an iTunes user to load media from a remote share over WebDAV, they can exploit the vulnerability. According to Moore, "The bug is bad behavior on the part of certain Windows applications when loading files from a network share."

Moore did not name the 40 Windows applications affected by the flaw, but did say that it was a wide range of programs, both commercial and open-source in nature. (Source: pcmag.com)

One Big Patch Not Applicable

Because the bug has been found in the way individual applications operate, experts say every single app will require its own fix, meaning one big patch cannot solve the whole problem at once.

Given that the issue originated with Apple but has expanded to affect all Windows users, deciding who is responsible for the flaw or the fix could complicate the development of a patch.