Apple ignored spyware flaw in iTunes for three years

Apple took more than three years to fix a security flaw in its iTunes updater that allowed hackers to use the software to distribute spyware.

Argentinian security researcher Francisco Amato wrote to the company in July 2008 to inform it that a security flaw could be exploited to enable malicious software to be downloaded onto users' machines under the guide of a bogus iTunes update. Amato had written a penetration tool called Evilgrade, exploiting the vulnerability, to demonstrate his point.

But according to emails exchanged between Amato and cybercrime journalist Brian Krebs, despite acknowledging receipt of Amato's report, Apple did not contact the researcher again until October 2011, when the flaw was patched in iTunes update 10.5.1. The IT giant had failed to respond even when Amato published a major update to Evilgrade in October 2010.

The vulnerability only affected the Windows version of iTunes, Amato having failed to replicate it on OS X systems.

Other spyware packages have used to fake iTunes updates and a means of distribution. FinFinisher, a piece of surveillance software by British software developer Gamma International that, as we reported in September, had been tested by the ousted Mubarak regime in Egypt, used a bogus update to the music playing software to install itself on victims' computers.