Windows users with iTunes beware! Apple has opted you in to install their vulnerable Safari browser on your computer with iTunes updates. You must click the Safari update box off before updating iTunes if you don’t want to install Safari.
They were able to exploit a brand new 0day vulnerability in Apple’s Safari web browser. Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service. The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue.
So if you update iTunes and install Safari, you’re getting this exploitable code on your computer.
I may have more information about the nature of the exploit tomorrow. :-)
- The exploit Charlie Miller used to win the coveted Macbook Err involved a telnet exploit via privilege escalation from a malformed/malicious link. Reportedly. We’ll find out when Apple gets around to fixing it. Which brings me to another point…
- Before anyone dismisses my objections to Apple’s requirement that users opt-out of installing Safari when updating iTunes, look at Secunia’s new advisory. Note that it’s highly critical. Safari is buggy and vulnerable in OSX. It’s even worse in Windows.