iTunes 10.5 released to fix 79 vulnerabilties on Windows, OS X to follow


iTunes 10.5Apple released a mammoth update to iTunes for Windows today bumping the version number to 10.5. The update fixes 79 vulnerabilities in iTunes, although not for Mac OS X users.

The largest number of fixes, 73, affect WebKit and could cause remote code execution. WebKit is used to render HTML content from the iTunes store.

Fortunately these vulnerabilities can only be exploited through a man-in-the-middle attack while using iTunes.

Other fixes resolve remote code execution flaws in CoreFoundation, ColorSync, CoreAudio, CoreMedia and ImageIO.

According to SANS Internet Storm Center, Apple will be releasing fixes for OS X users as part of the yet unreleased updates for 10.6 (Snow Leopard) and 10.7 (Lion). Users of OS X 10.5 and earlier will be left unprotected.

iCloud logoiTunes 10.5 for OS X is available as well, but only includes new features, not security fixes. iTunes 10.5 introduces iCloud support, wireless syncing and support for iOS 5.

One piece of good news is that iTunes no longer requires QuickTime on Windows machines. If you don’t need/want QuickTime this might be a great opportunity to remove it, reducing the number of applications you need to keep patched.

I hope we see an update for Mac OS X soon as Apple still have not fixed the six week old directory services vulnerability and the three week old password change vulnerability.

If you are a Mac user interested in protecting your computer consider downloading our Sophos Anti-Virus for Mac Home Edition for free protection from viruses, Trojans and other malware.