Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0256 iTunes 10.6 corrects multiple vulnerabilities 9 March 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: iTunes 10.6 Publisher: Apple Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2012-0648 CVE-2012-0639 CVE-2012-0638 CVE-2012-0637 CVE-2012-0636 CVE-2012-0635 CVE-2012-0634 CVE-2012-0633 CVE-2012-0632 CVE-2012-0631 CVE-2012-0630 CVE-2012-0629 CVE-2012-0628 CVE-2012-0627 CVE-2012-0626 CVE-2012-0625 CVE-2012-0624 CVE-2012-0623 CVE-2012-0622 CVE-2012-0621 CVE-2012-0620 CVE-2012-0619 CVE-2012-0618 CVE-2012-0617 CVE-2012-0616 CVE-2012-0615 CVE-2012-0614 CVE-2012-0613 CVE-2012-0612 CVE-2012-0611 CVE-2012-0610 CVE-2012-0609 CVE-2012-0608 CVE-2012-0607 CVE-2012-0606 CVE-2012-0605 CVE-2012-0604 CVE-2012-0603 CVE-2012-0602 CVE-2012-0601 CVE-2012-0600 CVE-2012-0599 CVE-2012-0598 CVE-2012-0597 CVE-2012-0596 CVE-2012-0595 CVE-2012-0594 CVE-2012-0593 CVE-2012-0592 CVE-2012-0591 CVE-2011-3909 CVE-2011-3908 CVE-2011-3897 CVE-2011-3888 CVE-2011-3885 CVE-2011-2877 CVE-2011-2873 CVE-2011-2872 CVE-2011-2871 CVE-2011-2870 CVE-2011-2869 CVE-2011-2868 CVE-2011-2867 CVE-2011-2866 CVE-2011-2860 CVE-2011-2857 CVE-2011-2855 CVE-2011-2854 CVE-2011-2847 CVE-2011-2846 CVE-2011-2833 CVE-2011-2825 Reference: ASB-2011.0114.2 ASB-2011.0101 ASB-2011.0095 ASB-2011.0084 ASB-2011.0079 ASB-2011.0068 Original Bulletin: http://support.apple.com/kb/HT5191 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-03-07-1 iTunes 10.6 iTunes 10.6 is now available and addresses the following: WebKit Available for: Windows 7, Vista, XP SP2 or later Impact: A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. CVE-ID CVE-2011-2825 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-2833 : Apple CVE-2011-2846 : Arthur Gerkis, miaubiz CVE-2011-2847 : miaubiz, Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2854 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2855 : Arthur Gerkis, wushi of team509 working with iDefense VCP CVE-2011-2857 : miaubiz CVE-2011-2860 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2866 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2867 : Dirk Schulze CVE-2011-2868 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2869 : Cris Neckar of Google Chrome Security Team using AddressSanitizer CVE-2011-2870 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2871 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2872 : Abhishek Arya (Inferno) and Cris Neckar of Google Chrome Security Team using AddressSanitizer CVE-2011-2873 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2011-2877 : miaubiz CVE-2011-3885 : miaubiz CVE-2011-3888 : miaubiz CVE-2011-3897 : pa_kt working with TippingPoint's Zero Day Initiative CVE-2011-3908 : Aki Helin of OUSPG CVE-2011-3909 : Google Chrome Security Team (scarybeasts) and Chu CVE-2012-0591 : miaubiz, and Martin Barbella CVE-2012-0592 : Alexander Gavrun working with TippingPoint's Zero Day Initiative CVE-2012-0593 : Lei Zhang of the Chromium development community CVE-2012-0594 : Adam Klein of the Chromium development community CVE-2012-0595 : Apple CVE-2012-0596 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0597 : miaubiz CVE-2012-0598 : Sergey Glazunov CVE-2012-0599 : Dmytro Gorbunov of SaveSources.com CVE-2012-0600 : Marshall Greenblatt, Dharani Govindan of Google Chrome, miaubiz, Aki Helin of OUSPG, Apple CVE-2012-0601 : Apple CVE-2012-0602 : Apple CVE-2012-0603 : Apple CVE-2012-0604 : Apple CVE-2012-0605 : Apple CVE-2012-0606 : Apple CVE-2012-0607 : Apple CVE-2012-0608 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0609 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0610 : miaubiz, Martin Barbella using AddressSanitizer CVE-2012-0611 : Martin Barbella using AddressSanitizer CVE-2012-0612 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0613 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0614 : miaubiz, Martin Barbella using AddressSanitizer CVE-2012-0615 : Martin Barbella using AddressSanitizer CVE-2012-0616 : miaubiz CVE-2012-0617 : Martin Barbella using AddressSanitizer CVE-2012-0618 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0619 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0620 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0621 : Martin Barbella using AddressSanitizer CVE-2012-0622 : Dave Levin and Abhishek Arya of the Google Chrome Security Team CVE-2012-0623 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0624 : Martin Barbella using AddressSanitizer CVE-2012-0625 : Martin Barbella CVE-2012-0626 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0627 : Apple CVE-2012-0628 : Slawomir Blazek, miaubiz, Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0629 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2012-0630 : Sergio Villar Senin of Igalia CVE-2012-0631 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2012-0632 : Cris Neckar of the Google Chrome Security Team using AddressSanitizer CVE-2012-0633 : Apple CVE-2012-0634 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2012-0635 : Julien Chaffraix of the Chromium development community, Martin Barbella using AddressSanitizer CVE-2012-0636 : Jeremy Apthorp of Google, Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0637 : Apple CVE-2012-0638 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0639 : Abhishek Arya (Inferno) of Google Chrome Security Team using AddressSanitizer CVE-2012-0648 : Apple iTunes 10.6 may be obtained from: http://www.apple.com/itunes/download/ For Windows XP / Vista / Windows 7: The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 6f08434b9c3680c6e583707804838976f7281b70 For 64-bit Windows XP / Vista / Windows 7: The download file is named: "iTunes64Setup.exe" Its SHA-1 digest is: de3a2349e88546385f8e028dab2787c3152bd274 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJPV6JqAAoJEGnF2JsdZQeeQz8IAK9T9n+voKmSXENRgCJhK0iK thTOgl2jCKJlH1aGaS4udG4CpRYQqLSGA3PMnrV/PrzHa06N70qb+QgIgkFfTNp5 fZ3MYZ5LpyPVxVaLZec1Lsj7/kbrDNsFFs0F+iAXjZHproeT5J8CQx1tj3kAhLRi +yxNTnX+M3PaPh9IkU8ickghnSlYpR9gzVNCoxNCtDgdqrvqMc2kkGFfXbbtESLV LFPV+BwI5fxtrymqI5Y5K2JTub6PD68Kt0meYOzMLteftbzL0Pk3kIlIA7r2WQF3 b/bDLAZTp8BoVmpYn+5lGt61JBFNdSC1lTT16Bg8AyxsstdW9daju5Gbgh7mexQ= =wvcF - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT1lW7O4yVqjM2NGpAQJKQRAAvBi8Ggjbg6OLpqkB9GtnjoqqXVCVhhwb I69V1gogXUKYORuwxABNTI8mm/V6gVJSuGreFru0Hwc/Z5+Z2U+HYT+CCWd1u7ce LmbEq5+wxueU+NucdXEGXK5m0FY7pArQQQxvFLbF2wUCe0wEDPdX3Rm74PEvvTHS TuNnj0ooebvOddcap1szUEH7qm13h5CbpMT31e4T4qq+XoawTJ7RH2UcLmj7aJhA UIAvXF1/M+JsKSMwOV6QhUSnK8XocelTHS4dqBKsRQZHnVsHeGqkpqsVqF4aaVJu E+Nmt/y3iNVtj8uNoe0uQwPXaRVdSJ69/A0MRwz/LXaL+RS2XvspoppxS91gSnbF mRygVNYAglBheUaZqjw938FxStTzcQ7UKrlhCOEEusbwMFNWtYd/iHU0DfxzHvfx D39YPgsKFKwUsRjjgmhArJK37qWNZZhBuvU/cmfmKqApO5DW+MDYhspuLOSaXNdS +yYtI7kQZDyOZEuSpSXKcgiTUNWtFcwXFP4zMJ7eOTOgP9hdYhSY4V06rEcX8TAy B6sIzWjQFb4Wz8y6APzCYIps7b8g2/pICkJB7w0f1jaHFZsiQw2YEiImHq5RPq8F uLzazZCvgzsYKPQDxLxWrD0tInvTI2lXjy+fCYNipzrlhU2o3l6KqUPuprwJWFBF bGYsXo1vIck= =yf55 -----END PGP SIGNATURE-----