copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2012.0529 - [Win][OSX] iTunes: Multiple vulnerab...
 

ESB-2012.0529 - [Win][OSX] iTunes: Multiple vulnerabilities
Date: 12 June 2012
References: ESB-2012.0436  ESB-2012.0459  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0529
              iTunes 10.6.3 corrects multiple vulnerabilities
                               12 June 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iTunes
Publisher:         Apple
Operating System:  Mac OS X
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0677 CVE-2012-0672 

Reference:         ESB-2012.0459
                   ESB-2012.0436

Original Bulletin: 
   http://support.apple.com/kb/HT5318

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-06-11-1 iTunes 10.6.3

iTunes 10.6.3 is now available and addresses the following:

iTunes
Available for:  Mac OS X v10.5 or later, Windows 7, Vista,
XP SP2 or later
Impact:  Importing a maliciously crafted .m3u playlist may lead to an
unexpected application termination or arbitrary code execution
Description:  A heap buffer overflow existed in the handling of .m3u
playlists.
CVE-ID
CVE-2012-0677 : Gjoko Krstic of Zero Science Lab

WebKit
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in WebKit.
CVE-ID
CVE-2012-0672 : Adam Barth and Abhishek Arya of the Google Chrome
Security Team


iTunes 10.6.3 may be obtained from:
http://www.apple.com/itunes/download/

For Mac OS X:
The download file is named: "iTunes10.6.3.dmg"
Its SHA-1 digest is: e673e5cbd2955130efbc92a788fff178e66bd155

For Windows XP / Vista / Windows 7:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 2618f701f1d1a853e33138a57bec193bcd08438e

For 64-bit Windows XP / Vista / Windows 7:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: 3806af762a066fde3d7e83f86a429ae40175561e

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJP1iVwAAoJEPefwLHPlZEwwCwQAK3GHSCBWGFlkIdf5A14STjH
418W8jBN7fYpZL04wnBxFC4n6r9213/TAIq+FBQAUpS1Q4442qWbJ7DUPCU34+aC
1nhRhL6vXCrfsIqZB7YdsGIrcSw3iAKpyszCyDfE6l4oqwQuGzeUsZ89ZTxvKMLw
QYelU0izAJHcBKDJ+GiQCSZjoYgOha9dW1rDE50EIc274SoyZqHBV1hs2fSkslMq
GWKgg3KGSt1QGf9dX9bE2Zgb6QYVXTr092/VuIvAP6GUn5ltMJ4Qu1+GUhzQXykj
6Av3gtrwoWHg7iG3X66+A3XQ6oIjKHTplA8LDC5a3g1bcECaJI/QDxfC4xIyIqhT
HUJPy1FH6cFKTVGEF7h4HvcQKjpbt20UuCE4a9Om8PPw2P/iaBNnS+jV5AQ/RVwL
nfhxNQkNg0rYmFfUFjNWajjK+YWgjTN/Ny3Ba4hTl66PV5OSHtkQtIJtDTJcAxP0
7hX/CaEU9TnJl5HKmlhNv1PvqMmM951N39ODbf+zG23yVw+2hmE1SWDcJxAAv1LD
sCMFh5vesPb/7Bvbc1Qi23lX27gjYA3bzPnwREdEQ+9nyiKbwFAvIZ5KwszIdmlR
qIlGpIvpQOJYEC3aVq7tDlABkwF7pBaAGOQqYpP8O+iM7kJNDGCVaGWEL2OuVHjY
bGLlmB3ueonyCP+g94nH
=IxYx
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT9bQ1+4yVqjM2NGpAQJ1/A//aAhBQfm1nT1RgW1zTe+/zR5EjfiSKFZz
YTRkVuZ8XGUmRqFt657Vwj6BgiWwk16fWMOOLI7AlIAMeiopjyV0kkNJc9lNF0Qi
lC5Gp+q6t3uDj9v7RDoEXpW4nlMq5rCvDawF4NLHsdr79l4vtBlgTjdeItj0y0jR
GU37LdLNsGjMkQQdAQogUQmVRYi1HhlYkdXy6G+iMqGY48StIl/zTQoVLNAwA/db
lICO7WgHpyo0AebEEBZmLPD9okZ6KycBTwybA6ykDUvz7NSd1ZJFN9m0IBCqlJRP
syy5Mf5xLGZOC6GIihJ/o+OfR39HmwmAfZ4ICXlXIRo9pGZbgPQ4O7wxjgaDFcaE
Y6e5JFjkArWRJEBtaF8BJF5yfuJ4njsKlj4uzvcetfi/Dx9Un0TDWuPbB40FE1ER
lgtsVjKHnxB6jxO/Ws6GrI8+JGWo21T7OFMeZv4mMZOeaha/pDOtp7Iewl7Ip/+Y
sKPPnpSHr+rM5lHvnlLs0CebmX8oI2lgnUcDyWJ8IUelEH+fpQE6NFK4Hyzd9xjA
MaMbJlQPlmpY2HSzwpQrNLRKt4oBA2K/r/HNqTGbuiJP7Y2rYrmfJafA80JdG4Ib
vjCgIbWw75F0yYejYdA/4HTSqMrsNX7n8WbaLyDOI0MmXkxdFD+pXORsqqXCSZ+0
FRj0C3cOvCU=
=rIGA
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=15915