Well said as usual ASB. I will add that since Microsoft has continued to improve their out of the box OS security attackers have been focusing more on 3rd party applications. "Hi Adobe!" Minimizing potential attack vectors should be job #1 for anyone responsible for security in their organization.
By all means, if a business case exists, load those apps where needed. -Jeff Steward On Thu, Sep 16, 2010 at 1:55 PM, Andrew S. Baker <asbz...@gmail.com> wrote: > And I'm going to have to disagree with your assessment. > > We are just about a decade beyond the time when we swore that data-only > formats were safe. Today you can send malformed PDF, malformed JPG, and > malformed GIF files, just to name a few, and these can be used to gain > access to a machine. > > Now, I'm not limiting this to iTunes -- I'm merely disputing your > "theoretical" label on this type of threat. As long as there is an > executable that needs to process the data file, buffer overflow exploits are > possible. > > In 2010, it is a very real consideration. > > > *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> > *Exploiting Technology for Business Advantage...* > * * > On Thu, Sep 16, 2010 at 1:10 PM, Ken Cornetet <ken.corne...@kimball.com>wrote: > >> In a very theoretical way you are correct, but as a practical matter, >> not so much so. >> >> >> >> Yes, it is theoretically possible that itunes could have a bug that could >> be triggered by a specifically malformed mp3 file, but the chance that the >> bug would lead to usable results by the “attacker” is extremely thin. >> >> >> >> It is a bit like saying that text files should be banned because some text >> file might possibly exist that causes notepad to download a trojan and >> install it. Possible, but not very likely. >> >> >> >> *From:* Crawford, Scott [mailto:crawfo...@evangel.edu] >> *Sent:* Thursday, September 16, 2010 11:22 AM >> >> *To:* NT System Admin Issues >> *Subject:* RE: iTunes >> >> >> >> Music obtained from peer to peer networks is often infected. >> >> No music format that I am aware of has the capability of carrying >> executable code. >> >> >> >> All files – music or otherwise – are streams of 1’s and 0’s. I’s solely up >> to the application playing the files that determine what the bits mean. If >> there’s a security vulnerability in iTunes, then an MP3 file would be a >> likely vehicle for delivering it. A file doesn’t need to be overtly “code” >> to exploit a vulnerability. >> >> >> >> *From:* Ken Cornetet [mailto:ken.corne...@kimball.com] >> *Sent:* Thursday, September 16, 2010 9:20 AM >> >> *To:* NT System Admin Issues >> *Subject:* RE: iTunes >> >> >> >> Cons addressed in-line >> >> >> >> CONS >> >> >> >> It is more of an iTunes Store kiosk than a music manager. >> >> iTunes store is available, but you don’t have to use it. What can’t iTunes >> do as a manager that other media players can do? >> >> >> >> Encourages proliferation of illegally obtained music. >> >> More so than Windows Media Player? Actually, I’d say that the ability to >> very easily buy music via the iTunes store discourages illegal music. >> >> >> >> Music obtained from peer to peer networks is often infected. >> >> No music format that I am aware of has the capability of carrying >> executable code. >> >> >> >> Uses valuable bandwidth, streaming and downloading. >> >> No more than WMP and you can easily block it if you like. >> >> >> >> Windows Media Player is already included in Windows to play music. >> >> Why is this a con for iTunes? >> >> >> >> iTunes media is generally high bitrate, meaning audio and video will take >> up a lot of space. >> >> iTunes does not control the bitrate of the digital media. The person >> creating the media controls the bitrate. >> >> >> >> Massive memory footprint puts a strain on system resources. >> >> I wouldn’t call iTunes svelte, but it isn’t horrible in its requirements. >> I run it on a Thinkpad T23 (900Mhz, 512MB) at home. >> >> >> >> Time to backup user's files increases exponentially >> >> Again, this has nothing to do with iTunes. Have the user put their music >> files somewhere other than their “My Documents”. Or, exclude media file >> types from being backed up. >> >> >> >> Installs other required applications with it (Quicktime, Safari, >> AppleApplicationSupport, MobileMe, Bonjour, etc) >> >> You don’t have to install Safari. The other stuff stays out of the way. >> >> >> >> Requires frequent updating. >> >> You can turn checking for updates off. >> >> >> >> Requires admin rights to update it. >> >> AFAIK, you have to be admin to even run iTunes. This does suck. >> >> >> >> iTunes updates have a nasty history of triggering system crashes. >> >> I call BS on this. I’ve certainly never had a crash from running iTunes. >> >> >> >> PROS >> >> >> >> Apple users like it. >> >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
