Apple iTunes Multiple Vulnerabilities

by Carol~ Moderator - 5/17/13 5:32 AM

In Reply to: VULNERABILITIES / FIXES - May 17, 2013 by Carol~ Moderator

Release Date : 2013-05-17

Criticality level : Highly critical
Impact : Spoofing
System access
Where : From remote
Solution Status: Vendor Patch

Software: Apple iTunes 11.x

Description:
Multiple vulnerabilities have been reported in Apple iTunes, which can be exploited by malicious people to conduct spoofing attacks and compromise a user's system.

1) The application does not properly validate SSL server certificates, which can be exploited to e.g. conduct Man-in-the-Middle (MitM) attacks.

2) Some unspecified errors exist within the WebKit component. No further information is currently available.

3) Some vulnerabilities are caused due to a bundled vulnerable version of WebKit.

The vulnerabilities are reported in versions prior to 11.0.3.

Solution:
Update to version 11.0.3.

Provided and/or discovered by:
1) The vendor credits Christopher, ThinkSECURE Pte Ltd and Christopher Hickstein, University of Minnesota.

The vendor also credits:
Jay Civelli, the Chromium development community
Inferno and Martin Barbella, Google Chrome Security Team
Fermin J. Serna, the Google Security Team
David German, Google
Vitaliy Toropov and pa_kt via ZDI
Sergey Glazunov
miaubiz
Ryan Humenick

Original Advisory:
APPLE-SA-2013-05-16-1:
http://support.apple.com/kb/HT5766

http://secunia.com/advisories/53471/