Home / mailingsPDF  

APPLE-SA-2014-01-22-1 iTunes 11.1.4

Posted on 22 January 2014
Apple Security-announce

--===============1223067120==
Content-type: multipart/signed;
boundary="Apple-Mail=_18467391-C59F-418C-9426-6CCF4C00548F";
protocol="application/pgp-signature"; micalg=pgp-sha1


--Apple-Mail=_18467391-C59F-418C-9426-6CCF4C00548F
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2014-01-22-1 iTunes 11.1.4

iTunes 11.1.4 is now available and addresses the following:

iTunes
Available for: Mac OS X v10.6.8 or later, Windows 8, Windows 7,
Vista, XP SP2 or later
Impact: An attacker with a privileged network position may control
the contents of the iTunes Tutorials window
Description: The contents of the iTunes Tutorials window are
retrieved from the network using an unprotected HTTP connection. An
attacker with a privileged network position may inject arbitrary
contents. This issue was addressed by using an encrypted HTTPS
connection to retrieve tutorials.
CVE-ID
CVE-2014-1242 : Apple

iTunes
Available for: Windows 8, Windows 7, Vista, XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of text tracks. This issue was addressed by additional
validation of text tracks.
CVE-ID
CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation

iTunes
Available for: Windows 8, Windows 7, Vista, XP SP2 or later
Impact: A man-in-the-middle attack while browsing the iTunes Store
via iTunes may lead to an unexpected application termination or
arbitrary code executionn
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-1037 : Google Chrome Security Team
CVE-2013-1038 : Google Chrome Security Team
CVE-2013-1039 : own-hero Research working with iDefense VCP
CVE-2013-1040 : Google Chrome Security Team
CVE-2013-1041 : Google Chrome Security Team
CVE-2013-1042 : Google Chrome Security Team
CVE-2013-1043 : Google Chrome Security Team
CVE-2013-1044 : Apple
CVE-2013-1045 : Google Chrome Security Team
CVE-2013-1046 : Google Chrome Security Team
CVE-2013-1047 : miaubiz
CVE-2013-2842 : Cyril Cattiaux
CVE-2013-5125 : Google Chrome Security Team
CVE-2013-5126 : Apple
CVE-2013-5127 : Google Chrome Security Team
CVE-2013-5128 : Apple

libxml
Available for: Windows 8, Windows 7, Vista, XP SP2 or later
Impact: A man-in-the-middle attack while browsing the iTunes Store
via iTunes may lead to an unexpected application termination or
arbitrary code executionn
Description: Multiple memory corruption issues existed in libxml.
These issues were addressed by updating libxml to version 2.9.0.
CVE-ID
CVE-2011-3102 : Juri Aedla
CVE-2012-0841
CVE-2012-2807 : Juri Aedla
CVE-2012-5134 : Google Chrome Security Team (Juri Aedla)

libxslt
Available for: Windows 8, Windows 7, Vista, XP SP2 or later
Impact: A man-in-the-middle attack while browsing the iTunes Store
via iTunes may lead to an unexpected application termination or
arbitrary code executionn
Description: Multiple memory corruption issues existed in libxslt.
These issues were addressed by updating libxslt to version 1.1.28.
CVE-ID
CVE-2012-2825 : Nicolas Gregoire
CVE-2012-2870 : Nicolas Gregoire
CVE-2012-2871 : Kai Lu of Fortinet's FortiGuard Labs, Nicolas
Gregoire


iTunes 11.1.4 may be obtained from:
http://www.apple.com/itunes/download/

For OS X:
The download file is named: iTunes11.1.4.dmg
Its SHA-1 digest is: ffde4658def154edfa479696e40588e9252e7276

For Windows XP / Vista / Windows 7 / Windows 8:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 3701f3e7f7c44bad05631533f2ab52e08ae0ba1f

For 64-bit Windows XP / Vista / Windows 7 / Windows 8:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: fd9caee83907b9f6aa01d031f63fa9ed9be2bfab

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

TOP

Mailings :

Exploits :