The iTunes 10.5.1, released in November, has fixed a bug that enables an attack in which the update mechanism of the program can be “fooled” by a hacker to download an update that actually contains a virus.According to the Argentinian security researcher Francisco Amato, who discovered the flaw, Apple has been informed of the problem the first time in July 2008. The company only return a call in October 2011 to confirm the name of the researcher, who was credited with the discovery of the failure.
With the failure, Mac and Windows users were vulnerable when using public wireless connections, for example. An attacker could easily “grow” a false update, which would be detected by iTunes and installed like an Apple software. The problem exists or has existed in a similar way in other update mechanisms, such as Adobe and Java, Oracle.
According to a report in The Wall Street Journal, a company called Gamma distributed a code known as monitoring and surveillance finfish using the flaw in Apple’s software . Gamma revealed his tactics in their marketing efforts, aimed mainly to authorities.
There are suspicions that the finfish have been used by police in Egypt after the Gamma material was found by demonstrators during the protests in early 2011 .
In version 10.5.1 iTunes started using a secure connection to receive information about updates, making it difficult for a hacker attempts to pass through the Apple server.
Francisco Amato, who discovered the flaw, was interviewed in 2008 by the Washington Post to talk about problems caused by insecure update mechanisms . He developed at the time Evilgrade tool to facilitate such attacks.
In an interview with journalist Brian Krebs, Amato found that Apple may have forgotten the failure or problem classified as low severity, so the delay in updating. According to a survey by Krebs, Apple takes on average 91 days to fix vulnerabilities in their software.
