Operating System:

[WIN]

Published:

09 March 2012

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0256
               iTunes 10.6 corrects multiple vulnerabilities
                               9 March 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iTunes 10.6
Publisher:         Apple
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Reduced Security                -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0648 CVE-2012-0639 CVE-2012-0638
                   CVE-2012-0637 CVE-2012-0636 CVE-2012-0635
                   CVE-2012-0634 CVE-2012-0633 CVE-2012-0632
                   CVE-2012-0631 CVE-2012-0630 CVE-2012-0629
                   CVE-2012-0628 CVE-2012-0627 CVE-2012-0626
                   CVE-2012-0625 CVE-2012-0624 CVE-2012-0623
                   CVE-2012-0622 CVE-2012-0621 CVE-2012-0620
                   CVE-2012-0619 CVE-2012-0618 CVE-2012-0617
                   CVE-2012-0616 CVE-2012-0615 CVE-2012-0614
                   CVE-2012-0613 CVE-2012-0612 CVE-2012-0611
                   CVE-2012-0610 CVE-2012-0609 CVE-2012-0608
                   CVE-2012-0607 CVE-2012-0606 CVE-2012-0605
                   CVE-2012-0604 CVE-2012-0603 CVE-2012-0602
                   CVE-2012-0601 CVE-2012-0600 CVE-2012-0599
                   CVE-2012-0598 CVE-2012-0597 CVE-2012-0596
                   CVE-2012-0595 CVE-2012-0594 CVE-2012-0593
                   CVE-2012-0592 CVE-2012-0591 CVE-2011-3909
                   CVE-2011-3908 CVE-2011-3897 CVE-2011-3888
                   CVE-2011-3885 CVE-2011-2877 CVE-2011-2873
                   CVE-2011-2872 CVE-2011-2871 CVE-2011-2870
                   CVE-2011-2869 CVE-2011-2868 CVE-2011-2867
                   CVE-2011-2866 CVE-2011-2860 CVE-2011-2857
                   CVE-2011-2855 CVE-2011-2854 CVE-2011-2847
                   CVE-2011-2846 CVE-2011-2833 CVE-2011-2825

Reference:         ASB-2011.0114.2
                   ASB-2011.0101
                   ASB-2011.0095
                   ASB-2011.0084
                   ASB-2011.0079
                   ASB-2011.0068

Original Bulletin: 
   http://support.apple.com/kb/HT5191

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-03-07-1 iTunes 10.6

iTunes 10.6 is now available and addresses the following:

WebKit
Available for:  Windows 7, Vista, XP SP2 or later
Impact:  A man-in-the-middle attack while browsing the iTunes Store
via iTunes may lead to an unexpected application termination or
arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
CVE-ID
CVE-2011-2825 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-2833 : Apple
CVE-2011-2846 : Arthur Gerkis, miaubiz
CVE-2011-2847 : miaubiz, Abhishek Arya (Inferno) of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2854 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2855 : Arthur Gerkis, wushi of team509 working with iDefense
VCP
CVE-2011-2857 : miaubiz
CVE-2011-2860 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2866 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2867 : Dirk Schulze
CVE-2011-2868 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2869 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2870 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2871 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2872 : Abhishek Arya (Inferno) and Cris Neckar of Google
Chrome Security Team using AddressSanitizer
CVE-2011-2873 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2877 : miaubiz
CVE-2011-3885 : miaubiz
CVE-2011-3888 : miaubiz
CVE-2011-3897 : pa_kt working with TippingPoint's Zero Day Initiative
CVE-2011-3908 : Aki Helin of OUSPG
CVE-2011-3909 : Google Chrome Security Team (scarybeasts) and Chu
CVE-2012-0591 : miaubiz, and Martin Barbella
CVE-2012-0592 : Alexander Gavrun working with TippingPoint's Zero Day
Initiative
CVE-2012-0593 : Lei Zhang of the Chromium development community
CVE-2012-0594 : Adam Klein of the Chromium development community
CVE-2012-0595 : Apple
CVE-2012-0596 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0597 : miaubiz
CVE-2012-0598 : Sergey Glazunov
CVE-2012-0599 : Dmytro Gorbunov of SaveSources.com
CVE-2012-0600 : Marshall Greenblatt, Dharani Govindan of Google
Chrome, miaubiz, Aki Helin of OUSPG, Apple
CVE-2012-0601 : Apple
CVE-2012-0602 : Apple
CVE-2012-0603 : Apple
CVE-2012-0604 : Apple
CVE-2012-0605 : Apple
CVE-2012-0606 : Apple
CVE-2012-0607 : Apple
CVE-2012-0608 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0609 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0610 : miaubiz, Martin Barbella using AddressSanitizer
CVE-2012-0611 : Martin Barbella using AddressSanitizer
CVE-2012-0612 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0613 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0614 : miaubiz, Martin Barbella using AddressSanitizer
CVE-2012-0615 : Martin Barbella using AddressSanitizer
CVE-2012-0616 : miaubiz
CVE-2012-0617 : Martin Barbella using AddressSanitizer
CVE-2012-0618 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0619 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0620 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0621 : Martin Barbella using AddressSanitizer
CVE-2012-0622 : Dave Levin and Abhishek Arya of the Google Chrome
Security Team
CVE-2012-0623 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0624 : Martin Barbella using AddressSanitizer
CVE-2012-0625 : Martin Barbella
CVE-2012-0626 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0627 : Apple
CVE-2012-0628 : Slawomir Blazek, miaubiz, Abhishek Arya (Inferno) of
Google Chrome Security Team using AddressSanitizer
CVE-2012-0629 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2012-0630 : Sergio Villar Senin of Igalia
CVE-2012-0631 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2012-0632 : Cris Neckar of the Google Chrome Security Team using
AddressSanitizer
CVE-2012-0633 : Apple
CVE-2012-0634 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2012-0635 : Julien Chaffraix of the Chromium development
community, Martin Barbella using AddressSanitizer
CVE-2012-0636 : Jeremy Apthorp of Google, Abhishek Arya (Inferno) of
Google Chrome Security Team using AddressSanitizer
CVE-2012-0637 : Apple
CVE-2012-0638 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0639 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2012-0648 : Apple


iTunes 10.6 may be obtained from:
http://www.apple.com/itunes/download/

For Windows XP / Vista / Windows 7:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 6f08434b9c3680c6e583707804838976f7281b70

For 64-bit Windows XP / Vista / Windows 7:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: de3a2349e88546385f8e028dab2787c3152bd274

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQEcBAEBAgAGBQJPV6JqAAoJEGnF2JsdZQeeQz8IAK9T9n+voKmSXENRgCJhK0iK
thTOgl2jCKJlH1aGaS4udG4CpRYQqLSGA3PMnrV/PrzHa06N70qb+QgIgkFfTNp5
fZ3MYZ5LpyPVxVaLZec1Lsj7/kbrDNsFFs0F+iAXjZHproeT5J8CQx1tj3kAhLRi
+yxNTnX+M3PaPh9IkU8ickghnSlYpR9gzVNCoxNCtDgdqrvqMc2kkGFfXbbtESLV
LFPV+BwI5fxtrymqI5Y5K2JTub6PD68Kt0meYOzMLteftbzL0Pk3kIlIA7r2WQF3
b/bDLAZTp8BoVmpYn+5lGt61JBFNdSC1lTT16Bg8AyxsstdW9daju5Gbgh7mexQ=
=wvcF
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT1lW7O4yVqjM2NGpAQJKQRAAvBi8Ggjbg6OLpqkB9GtnjoqqXVCVhhwb
I69V1gogXUKYORuwxABNTI8mm/V6gVJSuGreFru0Hwc/Z5+Z2U+HYT+CCWd1u7ce
LmbEq5+wxueU+NucdXEGXK5m0FY7pArQQQxvFLbF2wUCe0wEDPdX3Rm74PEvvTHS
TuNnj0ooebvOddcap1szUEH7qm13h5CbpMT31e4T4qq+XoawTJ7RH2UcLmj7aJhA
UIAvXF1/M+JsKSMwOV6QhUSnK8XocelTHS4dqBKsRQZHnVsHeGqkpqsVqF4aaVJu
E+Nmt/y3iNVtj8uNoe0uQwPXaRVdSJ69/A0MRwz/LXaL+RS2XvspoppxS91gSnbF
mRygVNYAglBheUaZqjw938FxStTzcQ7UKrlhCOEEusbwMFNWtYd/iHU0DfxzHvfx
D39YPgsKFKwUsRjjgmhArJK37qWNZZhBuvU/cmfmKqApO5DW+MDYhspuLOSaXNdS
+yYtI7kQZDyOZEuSpSXKcgiTUNWtFcwXFP4zMJ7eOTOgP9hdYhSY4V06rEcX8TAy
B6sIzWjQFb4Wz8y6APzCYIps7b8g2/pICkJB7w0f1jaHFZsiQw2YEiImHq5RPq8F
uLzazZCvgzsYKPQDxLxWrD0tInvTI2lXjy+fCYNipzrlhU2o3l6KqUPuprwJWFBF
bGYsXo1vIck=
=yf55
-----END PGP SIGNATURE-----