Airscanner released a security advisory about a iTunes 6.0 shared music Denial of Service/Spoofing/Flooding/Abuse vulnerability.
From the advisory:
Risk Level:
Low: Denial of service (Shared Music anonymous forced disconnect) and list abuse attacks are both merely annoying to iTunes users.
Medium: Shared Music lists from various users can be renamed and swapped, thus creating an environment in which you can’t be sure to whom you are connecting.
Summary:
iTunes is a popular service allowing you to play music, buy music, download music, share music, create playlists, etc.; it includes a video player and other features: http://www.itunes.com
The iTunes Shared Music feature allows users on a network to create playlists from songs on their computer and to share them on the network. When you create a new list and enable sharing, other iTunes users will see your lists under the Shared Music list, unless they change their preferences from the default settings. We discovered that it is possible to create spoofed Shared Music entries, to rename existing entries, to disconnect existing entries, and to re-initiate existing lists. We can also kill an existing stream without authorization via an anonymous packet.
Workaround:
Disable ‘Look for shared music’ option under the Sharing tab in Preferences.
There is also a Flash demo here.
With Apple becoming more and more popular, security researchers are more interested in OS X applications.
