Apple Patches iTunes

iTunes 10.5.1, released this week, is for the Mac and Windows PCs. The patch fixes a flaw that could make a so-called man-in-the-middle attack possible.

The vulnerability stems from older versions of iTunes using unsecured HTTP to check for updates on Apple servers. Those unencrypted requests could be intercepted by attackers, who could then respond with a fake response carrying the hackers' own URL. The flaw can only be exploited on Windows PCs that do not have Apple Software Update installed.

Man-in-the-middle attacks are difficult to pull off, because they require the hacker to convincingly impersonate at least one side of the conversation. Secured protocols transmit messages using encryption that can't be decoded without endpoint authentication.

Sites that use a mixture of secured and unsecured content are particularly vulnerable to man-in-the-middle attacks against visitors ignorant of the threat.