iPod touch v2.1

iPod touch v2.1が利用可能になっています。本アップデートはソフトウェア・アップデート経由では行われません。iTunesを通してのみ行われます。iTunesは週に一度、アップデートをチェックしており、アップデートを検出するとダウンロードを行います。次回、iPod touchが接続されたときにアップデートを適用します。手動でアップデートを行うには、iTuneから「アップデートをチェック」ボタンをクリックして下さい。その後でiPod touchをドックに接続するとアップデートが行われます。
以下、Apple Product Securityからのメールを引用。

---

APPLE-SA-2008-09-09 iPod touch v2.1

iPod touch v2.1 is now available and addresses the following issues:

Application Sandbox
CVE-ID: CVE-2008-3631
Available for: iPod touch v2.0 through v2.0.2
Impact: An application may be able to read another application's files
Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPod touch versions prior to v2.0.

CoreGraphics
CVE-ID: CVE-2008-1806, CVE-2008-1807, CVE-2008-1808
Available for: iPod touch v1.1 through v2.0.2
Impact: Multiple vulnerabilities in FreeType v2.3.5
Description: Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data. This update addresses the issue by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/

mDNSResponder
CVE-ID: CVE-2008-1447
Available for: iPod touch v1.1 through v2.0.2
Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information
Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.

Networking
CVE-ID: CVE-2008-3612
Available for: iPod touch v2.0 through v2.0.2
Impact: Predictable TCP initial sequence numbers generation may lead to TCP spoofing or session hijacking
Description: TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection. This update addresses the issue by generating random TCP initial sequence numbers. This issue does not affect iPod touch versions prior to v2.0.

WebKit
CVE-ID: CVE-2008-3632
Available for: iPod touch v1.1 through v2.0.2
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.

Installation note:

This update is only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an internet connection and have installed the latest version of iTunes from www.apple.com/itunes/

iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting "don't install" will present the option the next time you connect your iPod touch.

The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the "Check for Update" button within iTunes. After doing this, the update can be applied when your iPod touch is docked to your computer.

To check that the iPod touch has been updated:

* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "2.1 (5F135)" or later

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

---

Bonjour for Windows 1.0.5

Bonjour for Windows 1.0.5が出ているそうです。尚、本アップデートはiTunes 8.0 for Windowsに含まれているそうです。
以下、Apple Product Securityからのメールを引用。

---

APPLE-SA-2009-09-09 Bonjour for Windows 1.0.5

Bonjour for Windows 1.0.5 is now available and addresses the following issues:

mDNSResponder
CVE-ID: CVE-2008-2326
Available for: Windows Vista, XP SP2 and SP3, 2003, 2000
Impact: Resolving a maliciously crafted ".local" domain name may cause an unexpected application termination
Description: A null pointer dereference issue exists in the Bonjour Namespace Provider. Resolving a maliciously crafted ".local" domain name containing a long DNS label may cause an unexpected application termination. This update addresses the issue by performing additional validation of DNS labels. This issue does not affect systems running Mac OS X. Credit to Mario Ballano of 48bits.com for reporting this issue.

mDNSResponder
CVE-ID: CVE-2008-3630
Available for: Windows Vista, XP SP2 and SP3, 2003, 2000
Impact: mDNSResponder may return forged information for unicast DNS queries
Description: Bonjour for Windows provides Zero Configuration Networking, Multicast DNS, and Network Service Discovery for Windows users. It's also possible to use the Bonjour API to issue conventional unicast DNS queries. A weakness in the DNS protocol may allow a remote attacker to spoof DNS responses. As a result, if there are applications that use Bonjour for Windows for unicast DNS, those applications may receive forged information. However, there are no known applications that use the Bonjour APIs for unicast DNS hostname resolution. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against spoofing attacks. This change does not affect Multicast DNS resolution.

Bonjour for Windows 1.0.5 is included in iTunes 8.0.

Bonjour for Windows 1.0.5 may be obtained from
Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The download file is named: "BonjourSetup.exe"
Its SHA-1 digest is: 681e3505bb9d7780c200e5a5eba43e8ba7062c05

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

---

iTunes 8.0

iTunes 8.0がソフトウェア・アップデート経由で出ています。

---

iTunes　8.0　58.4 MB
iTunes 8 には、ライブラリの中から同じテイストの曲を自動的に選択してプレイリストを作成する Genius 機能が含まれています。また、Genius 機能の一部である Genius サイドバーでは、iTunes Store の中からまだお持ちでない曲をお勧めします。

iTunes 8 を使って、新しいグリッド表示でアーティストとアルバムをブラウズしましょう。iTunes Store からお気に入りのテレビ番組を HD 品質でダウンロードしましょう。メディアを iPod nano（第四世代）、iPod classic（120 GB）、および iPod touch（第二世代）と同期しましょう。そして、魅力あふれる新しいミュージックビジュアライザを楽しみましょう。

iTunes 8 および iTunes U は、お使いの Mac 上で VoiceOver を使ってアクセスできるようになりました。

このアップデートのセキュリティに関する内容について詳しくは、次の Web サイトにアクセスしてください：http://support.apple.com/kb/HT1222?viewlocale=ja_JP

以下、Apple Product Securityからのメールを引用。

APPLE-SA-2009-09-09 iTunes 8.0

iTunes 8.0 is now available and addresses the following issues:

iTunes
CVE-ID: CVE-2008-3634
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Firewall warning dialog in iTunes is misleading
Description: When the firewall is configured to block iTunes Music Sharing and the user enables iTunes Music Sharing in iTunes, a warning dialog is displayed which incorrectly informs the user that unblocking iTunes Music Sharing doesn't affect the firewall's security. Allowing iTunes Music Sharing or any other service through the firewall inherently affects security by exposing the service to remote entities. This update addresses the issue by refining the text in the warning dialog. This issue does not affect systems running Mac OS X v10.5 or later. Credit info to Eric Hall of DarkArt Consulting Services, Inc. for reporting this issue.

iTunes
CVE-ID: CVE-2008-3636
Available for: Windows XP or Vista
Impact: A local user may gain system privileges
Description: A third-party driver provided with iTunes may trigger an integer overflow, and could allow a local user to obtain system privileges. Credit to Ruben Santamarta of Wintercore for reporting this issue.

iTunes 8.0 may be obtained from: http://www.apple.com/itunes/download/

For Mac OS X:
The download file is named: "iTunes8.dmg"
Its SHA-1 digest is: af54727e4b2e0e6bb0c367b34ae5075f36096aef

For Windows XP / Vista:
The download file is named: "iTunes8Setup.exe"
Its SHA-1 digest is: 5d4ff8ffbe9feeaed67deb317797c1d71a03c359

For Windows XP / Vista 64 Bit:
The download file is named: "iTunes864Setup.exe"
Its SHA-1 digest is: 86df5d9899a8dad82b893309dc18672e3d2cccd0

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

---

QuickTime 7.5.5

QuickTime 7.5.5がソフトウェア・アップデート経由で出ています。

---

QuickTime　7.5.5　67.5 MB
QuickTime 7.5.5 では、信頼性の改善、アプリケーションの互換性の向上、およびセキュリティの改善を実現する変更が加えられています。

すべての QuickTime 7 ユーザの方にこのリリースを推奨します。

このアップデートのセキュリティ関連の内容について詳しくは、次の Web サイトを参照してください：http://www.info.apple.com/kbnum/n61798-ja

以下、Apple Product Securityからのメールを引用。

APPLE-SA-2008-09-09 QuickTime 7.5.5

QuickTime 7.5.5 is now available and addresses the following issues:

QuickTime
CVE-ID: CVE-2008-3615
Available for: Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in the third-party Indeo v5 codec for QuickTime, which does not ship with QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering content encoded with any version of the Indeo codec. This issue does not affect systems running Mac OS X. Credit to Paul Byrne of NGSSoftware for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3635
Available for: Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the third-party Indeo v3.2 codec for QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering content encoded with any version of the Indeo codec. This issue does not affect systems running Mac OS X. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3624
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to Roee Hay of IBM Rational Application Security Research Group for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3625
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3614
Available for: Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3626
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's handling of STSZ atoms in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of STSZ atoms. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3627
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption exist in QuickTime's handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of H.264 encoded movie files. Credit to an anonymous researcher and Subreption LLC working with TippingPoint's Zero Day Initiative for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3628
Available for: Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: An invalid pointer issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by correctly saving and restoring a global variable. This issue does not affect systems running Mac OS X. Credit to David Wharton for reporting this issue.

QuickTime
CVE-ID: CVE-2008-3629
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination
Description: An out-of-bounds read issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination. This update addresses the issue by performing additional validation of PICT images. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

QuickTime 7.5.5 may be obtained from the Software Update application, or from the QuickTime Downloads site: http://www.apple.com/quicktime/download/

For Mac OS X v10.5 or later
The download file is named: "QuickTime755_Leopard.dmg"
Its SHA-1 digest is: 934f784a553c2d4484d298071ad6d95ea34b8b2f

For Mac OS X v10.4.9 through Mac OS X v10.4.11
The download file is named: "QuickTime755_Tiger.dmg"
Its SHA-1 digest is: dcdf58e27aad2a1e958788c0f58584605c4b8e78

For Windows Vista / XP SP2 and SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 5900ff0b8044972cb06b52dfc913c6364bf27ccc

QuickTime with iTunes for Windows XP or Vista
The download file is named: iTunes8Setup.exe
Its SHA-1 digest is: 5d4ff8ffbe9feeaed67deb317797c1d71a03c359

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222

---

Let's Rock!

なぜか目が覚めてしまったので、EngadgetとGizmodoのリアルタイム更新を見ております。
やはりウワサ通り、iTunes 8と4G iPod nano、そして2G iPod touchが出たようです。

iTunes 8の新機能は「Genius」。曰く「1クリックで好みとライブラリにあわせたプレイリストを作成してくれる機能」だそうです。Play listの情報がサーバにアップされるとかしないとかで解析されちゃうとかしないとか…。

4G iPod nanoは、事前リーク通りの縦長フォルム。iPhoneスタイルに合わせて端へ行くほど薄くなる局面デザインなので、自ずと断面は楕円形。で、史上最薄だそうな。ディスプレイは縦長だけど、iPhoneやiPod touch同様に加速度センサーを搭載したので、横にすれば横表示！もちろん、横表示時のCoverFlowも搭載。新機能のGenius Play Listも搭載。カレンダーにストップウォッチに、マイク接続でボイスレコーダー！で、嘘か本当か、振るとシャッフル。バッテリー駆動時間は音楽で24時間、ビデオで4時間。カラーは7色9色(オンラインストアで確認)で容量は8 GB、$149と16 GB、$199。

2G iPod touchも同じくiPhoneスタイルを踏襲した背部局面デザイン。ボリュームボタンとスピーカーを新たに搭載。もちろんGenius Play Listも同じく搭載。で、今までiPod nano専用だったNike+がビルトイン。レシーバーを内蔵しているので、ドックに付ける必要なし。その他のスペックは1Gと同じ。残念ながら64 GB版とかカメラ内蔵とかGPS内蔵といった期待されていたような大幅機能アップはなし。個人的には「2G」というよりはマイナーアップデートといった感覚。容量は従来通り8 GB、$229に16 GB、$299、そして32 GBが$399。ソフトウェアはiPhone iPod touch v2.1。1G iPod touchについては2.0の場合は無償。1.xの場合は$9.95で本日利用可能。iPhoneについては無償で金曜日頃には利用可能。

それから、iPod classicは容量増量して120 GB。$249で販売開始。iPod shuffleは新色以外は据置。

あとは新アクセサリーとして、コード途中に小さなマイク付きリモコン搭載のインイヤーヘッドホン。

既に日本のApple Storeオンラインでも取り扱い開始。現時点で4G iPod nanoは8 GBが17,800円で24時間以内出荷。16 GBは23,800円で5～7営業日。iPod touchについては、8 GBが27,800円、16 GBが35,800円、32 GBが47,800円でいずれも2～4週後出荷予定。インイヤーヘッドホンは9,400円で近日発売。iPod classic 120 GBは29,800円。

さて、ポチッとなするのかどうかって？したいんですけど、まずは寝て明日の朝考えます。

---

アップル、iTunes 8を発表

アップル、新しいiPod touchを発表

アップル、新しいiPod nanoを発表