Apple''s music playing and purchasing iTunes software for Windows has a vulnerability that attackers could use to infect a PC with any code of their choice, a security firm said Tuesday. In response, Apple updated iTunes and recommended users download the new version.

A bug in how iTunes for Windows XP and Windows 2000 parses MPEG4 files is at fault, Apple comfirmed. A maliciously-crafted MPEG4 audio file can create a buffer overflow, which could crash the program or give the attacker an opportunity to introduce code of his own.

Danish security firm Secunia rated the vulnerability as "Highly critical," its second-highest warning. This is the second bug in iTunes made public this year; in January, a flaw in the software''s playlist might have allowed attackers to generate a buffer overflow. Apple posted a revised version, 4.7.1, the same day the vulnerability was disclosed.

iTunes 4.8 fixes plugs the hole, and can be downloaded from Apple''s site or updated from within earlier editions of iTunes.

The Mac version of iTunes 4.8 includes a new feature that lets users transfer contacts and calendars from their computer to an iPod. Mac OS X 10.4 (Tiger) is required for this enhancement, however.

In other news, Apple on Tuesday also opened four new iTunes Music Stores in Sweden, Norway, Denmark, and Switzerland. The additions bring the total iTunes country count to 19, with Apple claiming that it now reaches 70 percent of the world''s music buyers