[Spookie]

18 Jan 2005 - VNUNet.com

Code that allows hackers to exploit a vulnerability in Apple's iTunes software has appeared over the weekend.

The code was posted on the Bugtraq mailing list by someone known only as 'Nemo', and acknowledges the help of three friends 'andrewg', 'mercy' and 'core'. The code is designed purely as a proof of concept and contains no virus or Trojan payload.

"Here is some code to exploit the vulnerability. It will generate a *.pls file which, when opened with iTunes 4.7, will bind a shell on port 4444," said 'Nemo' in the message.

Early versions of iTunes are vulnerable to hackers who can build malicious playlist files which crash the application. Code can then be inserted, either to spread a virus or allow the attacker to take control of the host PC.

The latest version, iTunes 4.7.1, is not affected by the vulnerability and can be downloaded from Apple's website (http://www.apple.com/support/downloads/itunes471.html).