More iTunes, QuickTime Flaws

Security flaws in Apple’s popular digital media products are beginning to add up.

Researchers at eEye Digital Security have pinpointed two high-risk vulnerabilities in iTunes and QuickTime that could put millions of Windows and Mac users at risk of code execution attacks.

Aliso Viejo, Calif.-based eEye issued two alerts on its upcoming advisories Web page to warn of heap overflows and integer overflows in the two Apple products.

Apple’s iTunes is a wildly popular online media service that sells music downloads and QuickTime is the company’s flagship media player.

PointerClick here to read about more bugs in Apple’s iTunes and QuickTime media players.

eEye said the vulnerabilities affect QuickTime/iTunes on Windows NT, Windows 2000, Windows XP and Windows Server 2003. Mac OS X users are also vulnerable to the code execution attacks.

Apple does not comment on potential security vulnerabilities in its products until a fix is available. eEye only releases basic information on the existence of the bugs but withholds technical details until a patch is ready.

In the meantime, users are urged to avoid clicking on untrusted media files.

The latest flaw discoveries come at a sensitive time for Apple. The company is under intense scrutiny after the recent release of exploit code for a Safari browser flaw and the discovery of two pieces of malware affecting Mac OS X users.

On March 1, Apple shipped a Mac OS X security update with patches for more than a dozen security vulnerabilities. The monster update included five patches for Safari, including an “extremely critical” flaw that could cause remote code execution attacks if a user simply viewed a maliciously rigged Web page.

LINK