iTunes security vulnerability had been present for over three years
iTunes logo Apple had been aware of a vulnerability in the iTunes update system, fixed in version 10.5.1 released in mid-November 2011, for more than three years. According to security expert Brian Krebs, who has seen email correspondence between the two parties, security researcher Francisco Amato informed Apple of the problem in summer 2008.
Prior to iTunes version 10.5.1, the integrated update was carried out via an unencrypted HTTP query and permitted an attacker who had control of the user's network to make his own software look like a legitimate iTunes update and, where Apple's Software Update application was not present, open the HTTP response in a standard browser. The company behind "FinFisher" advertised the vulnerability as a means of installing its spyware application on target systems.