Home / mailings APPLE-SA-2007-09-06 iTunes 7.4
Posted on 06 September 2007
Apple Security-announce-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2007-09-06 iTunes 7.4
iTunes 7.4 is now available and addresses the following security
issue:
CVE-ID: CVE-2007-3752
Available for: Mac OS X v10.3.9, Mac OS X v10.4.7 or later,
Windows XP /Vista
Impact: Opening a maliciously crafted music file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in iTunes when processing
album cover art. By enticing a user to open a maliciously crafted
music file, an attacker may trigger the overflow which may lead to an
unexpected application termination or arbitrary code execution. This
update addresses the issue by performing proper bounds checking.
Credit to David Thiel of iSEC Partners for reporting this issue.
iTunes 7.4 may be obtained from:
http://www.apple.com/itunes/download/
For Mac OS X:
The download file is named: "iTunes7.4.dmg"
Its SHA-1 digest is: 4422396fee3323cceab7d0ae83f47f7bedb21033
For Windows XP / Vista:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: fefe391446a8d8010d0a26e9819e893a76319da6
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
