SecureData, a member of the JSE-listed ERP.com Group and the southern African enterprise partner for eEye Digital Security, today announced the latter's discovery of four critical security vulnerabilities related to Apple Computer and that company's QuickTime software, as well as the download application for its iTunes music store.
These flaws have the potential to inflict serious damage, as they allow an attacker to take complete control of an affected system and execute harmful action remotely, including installing programs, viewing, changing or deleting data.
Enterprise networks are particularly vulnerable and organisations should take immediate action to identify affected machines, as the likelihood that the immensely popular QuickTime and iTunes applications are installed on their network is extremely high. To give an indication of the scope of this issue, the iTunes music download service has distributed 850 million songs since its introduction and is often used in conjunction with the equally popular iPod personal music system, of which 42 million have been sold since the device's inception.
"Most IT departments probably saw Apple's security update and thought 'that's a consumer application, I don't have to worry about security policies for that'. Those IT departments would be mistaken," commented Marc Maiffret, eEye's co-founder and chief hacking officer. "There are few people that have not seen a co-worker with an iPod wandering the halls of their organisation and those iPods probably mean iTunes is on your network. These flaws highlight the need for rigorous security policies and their enforcement via network security scanning and comprehensive endpoint security that will allow enterprises to mitigate this growing threat."
eEye strongly recommends that IT departments implement tools to enforce security policies that properly manage the installation of potentially vulnerable applications such as iTunes and QuickTime. Those organisations that are utilising eEye's Retina Network Security Scanner can immediately scan for affected systems running these applications. Organisations that have deployed the Blink Endpoint Intrusion Prevention System have been protected against these vulnerabilities since their discovery several months ago and can postpone patching to regularly scheduled maintenance cycles. Unlike signature-based technologies, such as anti-virus or behaviour-based solutions, current Blink customers aren't required to do anything to realise protection from this flaw, as no updates or policy changes are required.
Although these security flaws were initially found in the QuickTime application, because the popular iTunes application is so closely integrated with QuickTime, all of these security issues are also exploitable via the iTunes software. All systems running Windows 2000, Windows XP and Apple Mac OS X are vulnerable to these issues. Apple has released a solution to these issues in the form of a new version of the QuickTime player software - QuickTime 7.0.4.
Over the last five years, eEye has been recognised by industry experts as the pre-eminent organisation in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty, Code Red and Sapphire worms, as well as the Microsoft ASN vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing services and software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them.
Blink endpoint vulnerability prevention
Designed to be implemented on individual assets such as servers, PCs and laptops, Blink is the first endpoint product to combine multiple layers of security technologies to protect enterprises from zero-day attacks that leverage yet unknown vulnerabilities within enterprise networks. This comprehensive security solution allows organisations to defer patching vulnerable machines until regularly scheduled maintenance cycles, thereby saving millions of dollars in business disruption and the associated IT resource drain caused by "panic" patching. Additionally, Blink eliminates the problem of so-called "socially engineered" security threats in which hackers trick individuals into downloading malware or otherwise making their own machines vulnerable to attack. As a result, Blink uniquely protects assets from vulnerabilities, as opposed to only thwarting attacks.
eEye's integrated family of vulnerability management solutions helps IT and security professionals confidently safeguard their valuable digital assets. Working in conjunction with popular tools such as firewalls and intrusion detection systems, eEye's product portfolio also includes Retina Network Security Scanner, REM Security Management Console, Iris Network Traffic Analyzer and SecureIIS Web Server Protection.
For further information, please contact Willem Barnard at telephone (011) 257 8600; fax (011) 257 8699; e-mail willemb@securedata.co.za.
Share
eEye Digital Security is a leading developer of network security software, and the foremost contributor to security research and education. eEye's award-winning software products provide a complete vulnerability management solution that addresses the full lifecycle of security threats: before, during and after attacks. eEye protects the networks and digital assets of more than 8 400 corporate and government deployments worldwide, including Avon, Citigroup, Continental Airlines, the US Department of Defence, Dow Jones, Prudential, University of Miami, Viacom, Vodafone, Warner Music and Wyeth. Founded in 1998, eEye Digital Security is a privately held, venture-backed firm with headquarters in Orange County, California. For more information, please go to www.eEye.com.
SecureData
SecureData, an ERP.com company, is Africa's premier IT security solution provider. SecureData's solutions incorporate anti-virus and content security, network security, intrusion prevention software and network asset management. SecureData's comprehensive "Managed Security Services" include design, audit, implementation, vulnerability assessment, outsourcing and hosting. SecureData distributes, sells and supports category leading IT security products to the public, corporate and SME sectors throughout Africa as well as products and services to the SOHO and consumer markets through partnerships with ISPs. As well as being the sole distributor in Sub-Saharan Africa for Trend Micro, SecureData is the African distributor for US-based TippingPoint Technologies and the southern African distributor for US-based Application Security, eEye, Rocket Software, RSA Security, St Bernard and Websense. For more information, visit SecureData at www.securedata.co.za.
ERP.com
ERP.com is a JSE-listed company focused on the implementation, integration and management of enterprise applications in an e-business environment. For more information, visit ERP.com at www.erpcom.co.za.
Editorial contacts