Apple has issued a fix for a flaw in iTunes that could enable an attacker to perform man-in-the-middle attacks against users. The vulnerability is fixed in iTunes 10.5.1.
The bug in iTunes relates to the way that the application communicates with the iTunes server when it’s checking for updates to the software. The problem was such that an attacker who had a man-in-the-middle position on a user’s network could potentially give the user a fraudulent or malicious app that looks like iTunes.
“Description: iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user’s default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user’s default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth,” the Apple advisory says.
Whereas Microsoft has its monthly Patch Tuesday release, Apple is spreading its patches out over what’s becoming a patch week. The company on Nov. 10 released a patch for Java on Mac OS X and then on Thursday it pushed out fixes for iOS, Time Capsule and AirPort Base Station.
Users can download the new version of iTunes by checking for updates within the application’s Help menu.