Apple has released a new version of iTunes for Macintosh and Windows platforms. These software updates fix a combined 40 bugs with 1 flaw resolved in iTunes for Mac OS X v10.6.8 or later, Windows 7, Vista, XP SP2 or later and an additional 39 flaws resolved just for Windows 7, Vista, XP SP2 or later.
The iTunes versions available for Mac OS X v10.6.8 or later, Windows 7, Vista, XP SP2 or later addresses a vulnerability in which an attacker in a privileged network position may manipulate HTTPS server certificates, leading to the disclosure of sensitive information. According to Apple’s description, a certificate validation issue existed in iTunes and in certain contexts, an active network attacker could present untrusted certificates to iTunes and they would be accepted without warning. This issue was resolved by improved certificate validation.
The iTunes versions available for Windows 7, Vista, XP SP2 or later addresses a vulnerability in which a man-in-the-middle attack that occurs while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in WebKit that were addressed through improved memory handling.
- CVE-2012-2824, CVE-2012-2857, CVE-2012-3748, CVE-2012-5112, CVE-2013-0879, CVE-2013-0912, CVE-2013-0948, CVE-2013-0949, CVE-2013-0950, CVE-2013-0951, CVE-2013-0952, CVE-2013-0953, CVE-2013-0954, CVE-2013-0955, CVE-2013-0956, CVE-2013-0958, CVE-2013-0959, CVE-2013-0960, CVE-2013-0961, CVE-2013-0991, CVE-2013-0992, CVE-2013-0993, CVE-2013-0994, CVE-2013-0995, CVE-2013-0996, CVE-2013-0997, CVE-2013-0998, CVE-2013-0999, CVE-2013-1000, CVE-2013-1001, CVE-2013-1002, CVE-2013-1003, CVE-2013-1004, CVE-2013-1005, CVE-2013-1006, CVE-2013-1007, CVE-2013-1008, CVE-2013-1010, CVE-2013-1011
Users of iTunes 11.0.2 and earlier versions for Mac and Windows should download and install the update to iTunes 11.0.3 from the Downloads page or through the software’s update function.