September 26, 2016

Apple Releases iTunes 10.5.1 to Fix Man-in-the-middle Vulnerability

(LiveHacking.Com) – Apple has released iTunes 10.5.1 to fix a potentially dangerous man-in-the-middle vulnerability. According to the iTunes 10.5.1 security advisory a hacker using a man-in-the-middle attack could offer software to end users that appears to originate from Apple. This is course would be a way to infect a computer with malware. The vulnerability exists in iTunes for Windows and for OS X.

iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user’s default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user’s default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth.

The vulnerability was reported to Apple by Francisco Amato of Infobyte Security Research.

iTunes 10.5.1, which is available for Mac OS X v10.5 or later, Windows 7, Vista and XP SP2 or later also introduces iTunes Match. Announced earlier this year, this new service allows users to store their entire music library in iCloud, including music that has been imported from CDs.