IT security experts have warned enterprises to take immediate action against four “critical” security vulnerabilities related to an old, but widely distributed, versions of Apple’s QuickTime media player and iTunes music store software.
These flaws have the potential to inflict "serious damage", as they allow a malicious attacker to take complete control of compromised systems and execute harmful action remotely, including installing programs, viewing, changing or deleting data, said eEye Digital Security.
The security firm went on to warn that enterprise networks are "particularly vulnerable" and organizations should take immediate action to identify affected machines, as the likelihood that the immensely popular QuickTime and iTunes applications are installed on their network is extremely high.
To give an indication of the scope of this issue, eEye noted that the iTunes music download service has distributed 850 million songs since its introduction and is often used in conjunction with the equally popular iPod personal music system, of which 42 million have been sold since the device's inception.
"Most IT departments probably saw Apple's security update and thought 'that's a consumer application, I don't have to worry about security policies for that.' Those IT departments would be mistaken," said Marc Maiffret, eEye's co-founder and chief hacking officer. "There are few people that have not seen a co-worker with an iPod wandering the halls of their organization, and those iPods probably mean iTunes is on your network. These flaws highlight the need for rigorous security policies and their enforcement via network security scanning and comprehensive endpoint security that will allow enterprises to mitigate this growing threat."
Although these security flaws were initially found in the QuickTime application, because the popular iTunes application is so closely integrated with QuickTime, all of these security issues are also exploitable via the iTunes software, eEye claimed. All systems running Windows 2000, Windows XP and Apple Mac OS X are vulnerable to these issues.
Apple has released a solution to these issues in the form of a new version of the QuickTime player software – QuickTime 7.0.4.