The vulnerability is the result of a boundary error in iTunes’ processing of a playlist file. It can be exploited by an attacker to cause a heap buffer overflow when a user opens the specially crafted .m3u file, explained Gjoko Krstic in a blog post.
By exploiting the vulnerability, an attacker could execute arbitrary code on the affected node to gain control of the device, he explained.
Apple patched the vulnerability with the latest version of iTunes, 10.6.3, which it released last week. According to the security update, iTunes 10.6.3 fixes a heap buffer overflow in the handling of .m3u playlists; “importing a maliciously crafted .m3u playlist may lead to an unexpected application termination or arbitrary code execution.” Apple acknowledged the assistance of Krstic in finding and fixing this flaw.
In addition, the latest version of iTunes plugged a memory corruption issue in WebKit. If the user visited a maliciously crafted website, this could lead to an unexpected application termination or arbitrary code execution.
According to Lysa Myers with Intego, no malware has been found that exploits the iTunes vulnerability identified by Krstic. “But it’s often just a matter of time before malware writers incorporate this code into their creations to get onto computers without you knowing, much like Flashback did with its Java exploit”, Myers wrote on the Mac Security blog.