Two weeks ago Apple published iTunes 10.5.1. It patched a flaw that Apple was aware of for more than 3 years. Security expert Brian Krebs said he had seen correspondence between Francisco Amato, who in summer 2008 informed Apple of the issue, and Apple.
But for three years Apple allowed the hole to be open. An attacker could use HTTP queries to make his own software to look like legitimate iTunes software.
It is not known why Apple hadn’t patched the flaw earlier. Krebs thinks the company simply forgotten about the issue or the hole was not recognized serious as it affected only Windows users.

source: Heise Online
25.11.2011