| VID |
23171 |
| Severity |
40 |
| Port |
3689 |
| Protocol |
TCP |
| Class |
Daemon |
| Detailed Description |
The iTunes application has an integer-overflow vulnerability via the AAC file which exists versions prior to 6.0.5. Apple iTunes versions prior to 6.0.5 could allow a remote attacker to take complete control of an affected system, caused by an integer overflow error in the AAC file parsing code that does not properly handle malformed files. An attacker could exploit this vulnerability to crash a vulnerable application or execute arbitrary commands by tricking a user into opening a specially crafted AAC file.
* References:
http://docs.info.apple.com/article.html?artnum=303952
http://lists.apple.com/archives/security-announce/2006/Jun/msg00001.html
http://www.securityfocus.com/advisories/10781
http://www.frsirt.com/english/advisories/2006/2601
http://secunia.com/advisories/20891/
http://www.zerodayinitiative.com/advisories/ZDI-06-020.html
* Platforms Affected:
Apple Computer, Inc., iTunes versions prior to 6.0.5
Apple Computer, Inc., Mac OS X versions 10.2.8 or later
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of iTunes (6.0.5 or later), available from the Apple Download Web site at http://www.apple.com/itunes/download/ |
| Related URL |
CVE-2006-1467 (CVE) |
| Related URL |
18730 (SecurityFocus) |
| Related URL |
27481 (ISS) |
|
