+1 with ASB's assessment,
Malware analysis is a very hot topic these days and the attackers are only limited by their imagination of what they can pack in a seemingly "harmless" MP3, MP4, PDF, Doc etc etc file. Because they know what is triggering the vulnerability ( either publically known, or privately) and make sure their "exploit" has a high probability of bypassing scanning engines ( its it's a 0 DAY, and private, which the trend has been lately) then the AV vendors and others are already behind the ball in signatures, which means the surface area for attack on the vulnerability remains high without mitigating controls in place. Its all about process execution and controlling that execution so that only "allowed" applications and their code are able to run and everything else is denied, without that you are still susceptible to being 0wned, and even with controlling the process execution, sometimes you can still get 0wned. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Thursday, September 16, 2010 1:56 PM To: NT System Admin Issues Subject: Re: iTunes And I'm going to have to disagree with your assessment. We are just about a decade beyond the time when we swore that data-only formats were safe. Today you can send malformed PDF, malformed JPG, and malformed GIF files, just to name a few, and these can be used to gain access to a machine. Now, I'm not limiting this to iTunes -- I'm merely disputing your "theoretical" label on this type of threat. As long as there is an executable that needs to process the data file, buffer overflow exploits are possible. In 2010, it is a very real consideration. ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... On Thu, Sep 16, 2010 at 1:10 PM, Ken Cornetet <ken.corne...@kimball.com> wrote: In a very theoretical way you are correct, but as a practical matter, not so much so. Yes, it is theoretically possible that itunes could have a bug that could be triggered by a specifically malformed mp3 file, but the chance that the bug would lead to usable results by the "attacker" is extremely thin. It is a bit like saying that text files should be banned because some text file might possibly exist that causes notepad to download a trojan and install it. Possible, but not very likely. From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Thursday, September 16, 2010 11:22 AM To: NT System Admin Issues Subject: RE: iTunes Music obtained from peer to peer networks is often infected. No music format that I am aware of has the capability of carrying executable code. All files - music or otherwise - are streams of 1's and 0's. I's solely up to the application playing the files that determine what the bits mean. If there's a security vulnerability in iTunes, then an MP3 file would be a likely vehicle for delivering it. A file doesn't need to be overtly "code" to exploit a vulnerability. From: Ken Cornetet [mailto:ken.corne...@kimball.com] Sent: Thursday, September 16, 2010 9:20 AM To: NT System Admin Issues Subject: RE: iTunes Cons addressed in-line CONS It is more of an iTunes Store kiosk than a music manager. iTunes store is available, but you don't have to use it. What can't iTunes do as a manager that other media players can do? Encourages proliferation of illegally obtained music. More so than Windows Media Player? Actually, I'd say that the ability to very easily buy music via the iTunes store discourages illegal music. Music obtained from peer to peer networks is often infected. No music format that I am aware of has the capability of carrying executable code. Uses valuable bandwidth, streaming and downloading. No more than WMP and you can easily block it if you like. Windows Media Player is already included in Windows to play music. Why is this a con for iTunes? iTunes media is generally high bitrate, meaning audio and video will take up a lot of space. iTunes does not control the bitrate of the digital media. The person creating the media controls the bitrate. Massive memory footprint puts a strain on system resources. I wouldn't call iTunes svelte, but it isn't horrible in its requirements. I run it on a Thinkpad T23 (900Mhz, 512MB) at home. Time to backup user's files increases exponentially Again, this has nothing to do with iTunes. Have the user put their music files somewhere other than their "My Documents". Or, exclude media file types from being backed up. Installs other required applications with it (Quicktime, Safari, AppleApplicationSupport, MobileMe, Bonjour, etc) You don't have to install Safari. The other stuff stays out of the way. Requires frequent updating. You can turn checking for updates off. Requires admin rights to update it. AFAIK, you have to be admin to even run iTunes. This does suck. iTunes updates have a nasty history of triggering system crashes. I call BS on this. I've certainly never had a crash from running iTunes. PROS Apple users like it. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
