Network News

X My Profile
View More Activity

Security Updates for iPod Touch, iTunes and QuickTime

Apple on Tuesday released software updates to fix at least 20 security holes in its various products, from the iPod Touch to OS X and Windows versions of iTunes and QuickTime.

The iPod Touch update fixes seven flaws, and is available only through iTunes, which Apple updated to iTunes 8 yesterday. My colleague Mike Musgrove has a nice write-up on the new features in the latest iTunes version, which includes just a couple of security fixes. The more interesting of the two describes a "misleading" warning box from OS X about the safety of poking holes in the built-in firewall to accommodate music sharing in iTunes. From Apple's description:

Description: When the firewall is configured to block iTunes Music Sharing and the user enables iTunes Music Sharing in iTunes, a warning dialog is displayed which incorrectly informs the user that unblocking iTunes Music Sharing doesn't affect the firewall's security. Allowing iTunes Music Sharing or any other service through the firewall inherently affects security by exposing the service to remote entities. This update addresses the issue by refining the text in the warning dialog.

In addition to the two iTunes updates, Apple released a pair of fixes for Bonjour for Windows, a networking application installed by iTunes. The Bonjour fixes are bundled with the latest version of iTunes.

QuickTime 7.5.5 includes at least nine security updates for both Mac and Windows versions of the media player software.

Windows users can update QuickTime and iTunes through the bundled Apple Software Update application (if you don't want the Safari browser to be installed as well, you'll need to uncheck that option). Apple users can grab the latest updates from Software Update or Apple Downloads.

By Brian Krebs  |  September 10, 2008; 12:30 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Patches Eight Security Holes
Next: Fake Antispyware Purveyor Doubles as Domain Registrar


I updated iTunes & QuickTime no problem. To update my iPod Touch, they want me to pay $9.95. Why should I have to pay for a security update???

Posted by: Disgruntled iPod Touch owner | September 10, 2008 1:26 PM | Report abuse

"Why should I have to pay for a security update???"

Because Steve Jobs is a greedy monopolist and you chose to buy his product anyway.

Posted by: Patrick Huss | September 10, 2008 2:08 PM | Report abuse

People who post snipes about Steve Jobs have become almost a parody of themselves. Do you really think Stevearino is personally slapping the pricetags on security updates? You probably are the same guy who blames Ronald McDonald when you get a bad cheeseburger at the golden arches.

Posted by: Mark Allen | September 10, 2008 2:13 PM | Report abuse

Of course you don't blame Ronald McDonald. Everyone knows that bad burgers are to be squarely and firmly blamed on the Hamburgler and Mayor McCheese. McNuggets that are bad are the fault of Birdie, and bad/cold fries are the sole fault of the Fry Guys.

On a serious note, posting a shot at Jobs over Apple practices is no less/no more ridiculous that taking a shot at Gates over Microsoft practices. It's just another way for the rabid fanbois to fire off salvos.

Posted by: Charles Decker | September 10, 2008 2:30 PM | Report abuse

IIRC, the reason iPod owners pay for updates while iPhone owners don't is due to an oddity in accounting rules. That is, the Feds equire Apple to charge for it.

Posted by: wiredog | September 10, 2008 2:48 PM | Report abuse

Hey, Disgruntled, you do NOT have to pay for a security update. This is an update (v.2.1) to a features upgrade (v.2.0), which introduced 3d-party apps and other new features, such as Remote, and Mail, Maps, and Notes if you didn't buy the previous upgrade in January. Touch users who paid for the upgrade to 2.0 this summer get the security update for that free -- I downloaded it last night. People who didn't buy the upgrade before but want it now, have to pay for it now. But people who didn't buy the upgrade before do not have to buy anything now -- Apple still puts out security updates for the existing software (I think it's up to v.1.1.4 now). You probably aren't getting a security update now because 2.1 is fixing bugs you don't have. You only have to pay $9.95 to add functionalities (again, 3d-party apps, as well as Remote and some other new features, and Mail if you didn't by the previous upgrade in January) that the Touch didn't have before this summer.

That being said, I think it's worth it. The NY Times mobile application (don't worry, Post, I still get your dead tree version too) and free versions of Tetris and Solitaire have totally changed my commute.

Posted by: jane | September 10, 2008 3:45 PM | Report abuse

Why the bleep does QuickTime have so many freaking security holes? Is it that complicated to just check the bounds of the data before feeding it to the player? Does this data conform to the standard we've set for QuickTime movies? OK, let's play it. It doesn't? Into the bit bucket with it!

I guess I'm being overly simplistic, but it just doesn't seem like it ought to be that hard to develop a data standard and an application that are just a wee bit more impervious to "maliciously crafted" data.

Posted by: burke | September 10, 2008 5:22 PM | Report abuse

>Why the bleep does QuickTime have so many freaking security holes? Is it that complicated to just check the bounds of the data before feeding it to the player?

Yes, it does boggle the mind. QuickTime is obviously built on the creaky architecture of a player written back when the data stream was not considered to be hostile. Consider all the showstopper bugs published in the last year. Then imagine how many will be published in the coming year. This is the current QuickTime that you are running today....

Posted by: Moike | September 11, 2008 7:07 AM | Report abuse

Security in code is harder than many might appreciate. The obvious goal for the developer is to achieve an end, and to find ways to do so. Once that end is achieved and made available, it becomes the object of security scrutiny and attack. Since few applications are totally stand-alone (e.g. how the hardware works, how the compiler generates code, how the OS handles calls, what third-party capabilities are included, etc.) a security flaw can be introduced in a lot of different ways. It's also important to recognize that security flaws are rarely found by amateurs anymore. The security attackers have their own culture, their own toolsets, and a very high degree of sophistication about how to attack software. Underestimation of one's opponent is the surest path to defeat.

Posted by: Albee | September 11, 2008 11:00 AM | Report abuse

Ugh, the bundling of apps (BonJour and QuickTime into iTunes) and the requirement to use iTunes for these Apple hardware products leaves a bad taste. I prefer more control and choice than Apple cares to provide. Not to mention all the security issues with these apps and/or how they impact your systems performance, the high initial cost of the hardware, and having to pay for incremental versions of the OS X software (for iPhone and Macs) just because they contain a few new features. I would really like to use some of these products, but issues I've detailed are not very conducive in doing so.

Posted by: TJ | September 11, 2008 11:39 AM | Report abuse

Speaking of performance issues and such,

"Apple's iTunes PC software, updated to version 8.0 on Tuesday, has come under fire for causing "Blue Screen of Death" (BSOD) crashes in Windows. For this to happen, Apple has to be installing a kernel-level driver on the system, and sure enough, that's exactly what's happened. Critics of the company point out that this driver is installed without warning, and whether it's needed or not, but the BSOD crashes seem to be related with iPod connectivity.

The problems with iTunes aren't exactly an anomaly for Apple and, in many ways, 2008 has been a tough year for the quality of the company's software products. The iPhone 3G launch, while successful, has been marred by rampant and endemic problems with the device's system software, wireless hardware, and wireless service, and Apple has tried unsuccessfully to fix things twice already with software updates. A third update attempt, iPhone Software 2.1, is ready, according to Apple. But the company won't let iPhone users download it until Friday for some reason. Users of the similar iPod touch device got the update on Tuesday, angering iPhone users, who pay AT&T expensive fees of at least $80 per month for the right to use the device."

Posted by: TJ | September 11, 2008 11:43 AM | Report abuse

Fanbois write glowing reviews of the beloved whatevers. Writing something critical of Steve Jobs is not the same as being a fanboi of Microsoft. If it makes you geeks feel better, Bill Gates is a loopy, hyper-competitive, insanely greedy enemy of the industry.
So now that I am on the record as being critical of both Jobs and Gates who am I a fanboi of?
Get a grip, and get a better put-down. You want to buy an Apple, fine. You want a Dell, no problem. Just don't go crying all over the internet when you get exactly what any moron knew you would get when you made that choice.
One more thing, EEEWWWWWWWWWWWW, you still eat at McDonalds?! Why not just stay home and shovel lard into your mouth?

Posted by: Patrick Huss | September 11, 2008 12:15 PM | Report abuse

Uh, uh…

When you, PC user, employ the Apple Software Update application to grab the latest and greatest, place a check in the box to select what you want. Then, go to Tools --> Download Only. Once it finishes downloading the selected items, it places a folder on your hard drive with installers that will install the selected programs. From there, click on the items you want to install.

After the download successfully completed, it opened a folder called Apple Software Update. I could also find the folder here: Local Settings\Application Data\Apple\Apple Software Update. Since I have a Mac at home, I don’t need the MobileMe, AppleMobileDeviceSupport, or Bonjour so I trashed them. After trashing those items, everything seems to work fine for me, even though I rather like the way iTunes works on Mac best. And for the icon folks, I simply trashed them!

Posted by: umm.huh | September 11, 2008 1:13 PM | Report abuse

It makes me smile to read about the Windows-users bashing Apple. In the end it seems they only need to get used to easy-to-use software (that Apple apparently even makes for Windows). Just a few check-boxes en drag-and-drop to get what you want? That can't be true (is what they think due to using an inferior OS for too long)!
The irony...

Posted by: It's funnie! | September 12, 2008 8:53 AM | Report abuse

You PC folks can say whatever you like, but when there is a problem with iTunes or Quicktime you need to jump on it or one of the smaller flaws of the software bundled with the OS because the OS itself is ROCK SOLID unlike Wintel. No registry, not many viruses, and fewer headaches. There are entire industries built on the flaws of Windows, so don't even try to go there. The simply fact is (and I own both) that owning a MAC is drama free compared to owning a PC with its systemic memory management problems, malware (antivirus and spam remover are required), registry, driver issues, etc. I really could go on and on. Does MS even have a 64 bit desktop OS that is relevant in the market yet? What's up with the stupid Mojave commercial? Notice how one of the guys above mentioned that he has BLUE SCREENING issues with iTunes on his PC. When was the last time your MAC bluescreened? Oh you don't have a MAC? Well it doesn't happen, it just runs. Try it out before you whine, you might actually like it. At any rate, don't even try to compare MS's quality to Apple's. Apple will hold a product's release date back like it did with the MACs in the fall of '06 to save their owners headaches. When was the last time MS EVER did that?

Posted by: Dante | September 12, 2008 11:35 AM | Report abuse

One other thing. Those of you who think MACs are expensive are not familiar with the term, 'Total Cost of Ownership', which includes downtime, cost of fixing, reimaging, or the cost of your time when not working over the lifetime of the PC. When you look at these, you will find that the actual cost of the MAC is cheap. Sure it might be 2-300 bucks more up front, if that, if you compare it to a quality built Sony or HP unit (it might be less than that) that has similar hardware specs, but it is competitive and you do get what you pay for. I am an IT professional and I want and deserve the best computer for my personal machine and I think the MAC is it. If you don't agree such is your right, but you probably don't know much about the ills of dealing with WMI (WBEMTEST application) or Regedit. These are not indicative of quality coding and are klugey designs and have been with the software for the last three iterations for 8-9 years. Time for the software to mature and time for MS to update its bad code instead of continuing to build on it.

Posted by: Dante | September 12, 2008 12:11 PM | Report abuse


As a fellow "IT professional", your displayed ignorance is quite amusing and quite frankly indicates a level of fanboyism. Me thinks you've drank a little too much koolaid. ;)

Posted by: TJ | September 12, 2008 1:28 PM | Report abuse

Apple re-releases iTunes 8 to fix Vista 'blue screen of death',
Ditches buggy driver for earlier version; users must uninstall, then reinstall

Posted by: TJ | September 12, 2008 5:49 PM | Report abuse

It's probably all Linux's fault anyway. They broke Vista, not Apple!!

Posted by: David Gerard | September 13, 2008 6:00 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company