Apple iTunes Multiple Vulnerabilities
Release Date : 2013-05-17
Criticality level : Highly critical
Impact : Spoofing
Where : From remote
Solution Status: Vendor Patch
Software: Apple iTunes 11.x
Multiple vulnerabilities have been reported in Apple iTunes, which can be exploited by malicious people to conduct spoofing attacks and compromise a user's system.
1) The application does not properly validate SSL server certificates, which can be exploited to e.g. conduct Man-in-the-Middle (MitM) attacks.
2) Some unspecified errors exist within the WebKit component. No further information is currently available.
3) Some vulnerabilities are caused due to a bundled vulnerable version of WebKit.
The vulnerabilities are reported in versions prior to 11.0.3.
Update to version 11.0.3.
Provided and/or discovered by:
1) The vendor credits Christopher, ThinkSECURE Pte Ltd and Christopher Hickstein, University of Minnesota.
The vendor also credits:
Jay Civelli, the Chromium development community
Inferno and Martin Barbella, Google Chrome Security Team
Fermin J. Serna, the Google Security Team
David German, Google
Vitaliy Toropov and pa_kt via ZDI