Researchers at eEye Digital Security have pinpointed two high-risk vulnerabilities in iTunes and QuickTime that could put millions of Windows and Mac users at risk of code execution attacks.
Od4ys exploits soon?

Aliso Viejo, Calif.-based eEye issued two alerts on its upcoming advisories Web page to warn of heap overflows and integer overflows in the two Apple products.

Apple’s iTunes is a wildly popular online media service that sells music downloads and QuickTime is the company’s flagship media player.

eEye said the vulnerabilities affect QuickTime/iTunes on Windows NT, Windows 2000, Windows XP and Windows Server 2003. Mac OS X users are also vulnerable to the code execution attacks.

Apple does not comment on potential security vulnerabilities in its products until a fix is available. eEye only releases basic information on the existence of the bugs but withholds technical details until a patch is ready.

In the meantime, users are urged to avoid clicking on untrusted media files.

The latest flaw discoveries come at a sensitive time for Apple. The company is under intense scrutiny after the recent release of exploit code for a Safari browser flaw and the discovery of two pieces of malware affecting Mac OS X users.

On March 1, Apple shipped a Mac OS X security update with patches for more than a dozen security vulnerabilities. The monster update included five patches for Safari, including an “extremely critical” flaw that could cause remote code execution attacks if a user simply viewed a maliciously rigged Web page.

from [url=http://www.eweek.com/article2/0,1895,1936596,00.asp]eWeek[/url]

---

Filed under: Apple - @ March 13, 2006 10:42 pm