iTunes update patches bug; adds new iPod, iPhone features

Computerworld - Apple Inc. updated its iTunes music software late yesterday to patch a critical vulnerability and add features that will only be enabled once the new iPod touch rolls out later this month.

According to the advisory released Wednesday, iTunes 7.4 fixes a flaw that could result in "arbitrary code execution," Apple's phrase for a critical bug. The vulnerability, which is within the code that processes and displays album cover art, could be exploited by attackers using a malformed music file.

"An attacker may trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution," the advisory read. Apple credited the bug find to David Thiel of iSEC Partners Inc. A researcher at iSEC, Thiel was a presenter at the August Black Hat security conference on vulnerabilities within media software (download PDF), and mentioned iTunes in passing during his Las Vegas presentation.

Both the Mac OS X and Windows versions of iTunes are flawed and must be updated to 7.4, Apple said.

The updated iTunes also includes several features Apple CEO Steve Jobs touted yesterday during the launch event for a revamped iPod line. Among the iTunes 7.4 additions: the ability to download tracks from iTunes over a Wi-Fi connection, free wireless access to iTunes from Starbucks coffee shops -- and ringtones. All three will be enabled sometime this month in an iPhone update, while the first two will be available in the iPod touch when it debuts later in September.

None, however, are as yet working. Apple, for instance, must first designate the half-million tracks that Jobs said would be eligible as ringtones for the iPhone. The free access at Starbucks won't kick in until the coffee chain makes changes on its end with its hot spot provider, T-Mobile. The Seattle-based company will debut the service Oct. 2 in 600 of its stores in New York and its hometown, then roll it out to another 350 stores in San Francisco in early November.

Users can update to Version 7.4 using Software Update on the Mac or the optional Apple Software Update utility on Windows PCs. Alternately, the application can be downloaded from Apple's site.