Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0874 iTunes 10.7 13 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: iTunes Publisher: Apple Operating System: Windows 7 Windows Vista Windows XP Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-3712 CVE-2012-3711 CVE-2012-3710 CVE-2012-3709 CVE-2012-3708 CVE-2012-3707 CVE-2012-3706 CVE-2012-3705 CVE-2012-3704 CVE-2012-3703 CVE-2012-3702 CVE-2012-3701 CVE-2012-3700 CVE-2012-3699 CVE-2012-3692 CVE-2012-3688 CVE-2012-3687 CVE-2012-3686 CVE-2012-3685 CVE-2012-3684 CVE-2012-3683 CVE-2012-3682 CVE-2012-3681 CVE-2012-3680 CVE-2012-3679 CVE-2012-3678 CVE-2012-3677 CVE-2012-3676 CVE-2012-3675 CVE-2012-3674 CVE-2012-3673 CVE-2012-3672 CVE-2012-3671 CVE-2012-3670 CVE-2012-3669 CVE-2012-3668 CVE-2012-3667 CVE-2012-3666 CVE-2012-3665 CVE-2012-3664 CVE-2012-3663 CVE-2012-3661 CVE-2012-3660 CVE-2012-3659 CVE-2012-3658 CVE-2012-3657 CVE-2012-3656 CVE-2012-3655 CVE-2012-3654 CVE-2012-3653 CVE-2012-3652 CVE-2012-3651 CVE-2012-3649 CVE-2012-3648 CVE-2012-3647 CVE-2012-3646 CVE-2012-3645 CVE-2012-3644 CVE-2012-3643 CVE-2012-3642 CVE-2012-3641 CVE-2012-3640 CVE-2012-3639 CVE-2012-3638 CVE-2012-3637 CVE-2012-3636 CVE-2012-3635 CVE-2012-3634 CVE-2012-3633 CVE-2012-3632 CVE-2012-3631 CVE-2012-3630 CVE-2012-3629 CVE-2012-3628 CVE-2012-3627 CVE-2012-3626 CVE-2012-3625 CVE-2012-3624 CVE-2012-3623 CVE-2012-3622 CVE-2012-3621 CVE-2012-3620 CVE-2012-3618 CVE-2012-3617 CVE-2012-3616 CVE-2012-3615 CVE-2012-3614 CVE-2012-3613 CVE-2012-3612 CVE-2012-3611 CVE-2012-3610 CVE-2012-3609 CVE-2012-3608 CVE-2012-3607 CVE-2012-3606 CVE-2012-3605 CVE-2012-3604 CVE-2012-3603 CVE-2012-3602 CVE-2012-3601 CVE-2012-3600 CVE-2012-3599 CVE-2012-3598 CVE-2012-3597 CVE-2012-3596 CVE-2012-3595 CVE-2012-3594 CVE-2012-3593 CVE-2012-3592 CVE-2012-3591 CVE-2012-3590 CVE-2012-3589 CVE-2012-2843 CVE-2012-2842 CVE-2012-2831 CVE-2012-2829 CVE-2012-2818 CVE-2012-2817 CVE-2012-1521 CVE-2012-1520 CVE-2012-0683 CVE-2012-0682 CVE-2011-3971 CVE-2011-3969 CVE-2011-3968 CVE-2011-3966 CVE-2011-3958 CVE-2011-3926 CVE-2011-3924 CVE-2011-3913 CVE-2011-3105 CVE-2011-3090 CVE-2011-3089 CVE-2011-3086 CVE-2011-3081 CVE-2011-3078 CVE-2011-3076 CVE-2011-3075 CVE-2011-3074 CVE-2011-3073 CVE-2011-3071 CVE-2011-3069 CVE-2011-3068 CVE-2011-3064 CVE-2011-3060 CVE-2011-3059 CVE-2011-3053 CVE-2011-3050 CVE-2011-3044 CVE-2011-3043 CVE-2011-3042 CVE-2011-3041 CVE-2011-3040 CVE-2011-3039 CVE-2011-3038 CVE-2011-3037 CVE-2011-3036 CVE-2011-3035 CVE-2011-3034 CVE-2011-3032 CVE-2011-3027 CVE-2011-3021 CVE-2011-3016 Reference: ASB-2012.0101 ASB-2012.0096 ASB-2012.0079 ASB-2012.0073 ASB-2012.0064 ASB-2012.0051 ASB-2012.0045 ASB-2012.0040 ASB-2012.0033 ASB-2012.0025 ASB-2012.0019 ASB-2012.0010 ASB-2011.0114.2 ESB-2012.0705 Original Bulletin: http://support.apple.com/kb/HT5485 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2012-09-12-1 iTunes 10.7 iTunes 10.7 is now available and addresses the following: WebKit Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling. CVE-ID CVE-2011-3016 : miaubiz CVE-2011-3021 : Arthur Gerkis CVE-2011-3027 : miaubiz CVE-2011-3032 : Arthur Gerkis CVE-2011-3034 : Arthur Gerkis CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur Gerkis CVE-2011-3036 : miaubiz CVE-2011-3037 : miaubiz CVE-2011-3038 : miaubiz CVE-2011-3039 : miaubiz CVE-2011-3040 : miaubiz CVE-2011-3041 : miaubiz CVE-2011-3042 : miaubiz CVE-2011-3043 : miaubiz CVE-2011-3044 : Arthur Gerkis CVE-2011-3050 : miaubiz CVE-2011-3053 : miaubiz CVE-2011-3059 : Arthur Gerkis CVE-2011-3060 : miaubiz CVE-2011-3064 : Atte Kettunen of OUSPG CVE-2011-3068 : miaubiz CVE-2011-3069 : miaubiz CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative CVE-2011-3073 : Arthur Gerkis CVE-2011-3074 : Slawomir Blazek CVE-2011-3075 : miaubiz CVE-2011-3076 : miaubiz CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team CVE-2011-3081 : miaubiz CVE-2011-3086 : Arthur Gerkis CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz CVE-2011-3090 : Arthur Gerkis CVE-2011-3105 : miaubiz CVE-2011-3913 : Arthur Gerkis CVE-2011-3924 : Arthur Gerkis CVE-2011-3926 : Arthur Gerkis CVE-2011-3958 : miaubiz CVE-2011-3966 : Aki Helin of OUSPG CVE-2011-3968 : Arthur Gerkis CVE-2011-3969 : Arthur Gerkis CVE-2011-3971 : Arthur Gerkis CVE-2012-0682 : Apple Product Security CVE-2012-0683 : Dave Mandelin of Mozilla CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer, Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2012-1521 : Skylined of the Google Chrome Security Team, Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2012-2817 : miaubiz CVE-2012-2818 : miaubiz CVE-2012-2829 : miaubiz CVE-2012-2831 : miaubiz CVE-2012-2842 : miaubiz CVE-2012-2843 : miaubiz CVE-2012-3589 : Dave Mandelin of Mozilla CVE-2012-3590 : Apple Product Security CVE-2012-3591 : Apple Product Security CVE-2012-3592 : Apple Product Security CVE-2012-3593 : Apple Product Security CVE-2012-3594 : miaubiz CVE-2012-3595 : Martin Barbella of Google Chrome Security CVE-2012-3596 : Skylined of the Google Chrome Security Team CVE-2012-3597 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3598 : Apple Product Security CVE-2012-3599 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3600 : David Levin of the Chromium development community CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer CVE-2012-3602 : miaubiz CVE-2012-3603 : Apple Product Security CVE-2012-3604 : Skylined of the Google Chrome Security Team CVE-2012-3605 : Cris Neckar of the Google Chrome Security team CVE-2012-3606 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3607 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3608 : Skylined of the Google Chrome Security Team CVE-2012-3609 : Skylined of the Google Chrome Security Team CVE-2012-3610 : Skylined of the Google Chrome Security Team CVE-2012-3611 : Apple Product Security CVE-2012-3612 : Skylined of the Google Chrome Security Team CVE-2012-3613 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3614 : Yong Li of Research In Motion, Inc. CVE-2012-3615 : Stephen Chenney of the Chromium development community CVE-2012-3616 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3617 : Apple Product Security CVE-2012-3618 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3620 : Abhishek Arya of Google Chrome Security Team CVE-2012-3621 : Skylined of the Google Chrome Security Team CVE-2012-3622 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3623 : Skylined of the Google Chrome Security Team CVE-2012-3624 : Skylined of the Google Chrome Security Team CVE-2012-3625 : Skylined of Google Chrome Security Team CVE-2012-3626 : Apple Product Security CVE-2012-3627 : Skylined and Abhishek Arya of Google Chrome Security team CVE-2012-3628 : Apple Product Security CVE-2012-3629 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3630 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3631 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3632 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3633 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3634 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3635 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3636 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3637 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3638 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3639 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3640 : miaubiz CVE-2012-3641 : Slawomir Blazek CVE-2012-3642 : miaubiz CVE-2012-3643 : Skylined of the Google Chrome Security Team CVE-2012-3644 : miaubiz CVE-2012-3645 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3646 : Julien Chaffraix of the Chromium development community, Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3647 : Skylined of the Google Chrome Security Team CVE-2012-3648 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3649 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team CVE-2012-3651 : Abhishek Arya and Martin Barbella of the Google Chrome Security Team CVE-2012-3652 : Martin Barbella of Google Chrome Security Team CVE-2012-3653 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3654 : Skylined of the Google Chrome Security Team CVE-2012-3655 : Skylined of the Google Chrome Security Team CVE-2012-3656 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3657 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3658 : Apple CVE-2012-3659 : Mario Gomes of netfuzzer.blogspot.com, Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3660 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3661 : Apple Product Security CVE-2012-3663 : Skylined of Google Chrome Security Team CVE-2012-3664 : Thomas Sepez of the Chromium development community CVE-2012-3665 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3666 : Apple CVE-2012-3667 : Trevor Squires of propaneapp.com CVE-2012-3668 : Apple Product Security CVE-2012-3669 : Apple Product Security CVE-2012-3670 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer, Arthur Gerkis CVE-2012-3671 : Skylined and Martin Barbella of the Google Chrome Security Team CVE-2012-3672 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3673 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3674 : Skylined of Google Chrome Security Team CVE-2012-3675 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3676 : Julien Chaffraix of the Chromium development community CVE-2012-3677 : Apple CVE-2012-3678 : Apple Product Security CVE-2012-3679 : Chris Leary of Mozilla CVE-2012-3680 : Skylined of Google Chrome Security Team CVE-2012-3681 : Apple CVE-2012-3682 : Adam Barth of the Google Chrome Security Team CVE-2012-3683 : wushi of team509 working with iDefense VCP CVE-2012-3684 : kuzzcc CVE-2012-3685 : Apple Product Security CVE-2012-3686 : Robin Cao of Torch Mobile (Beijing) CVE-2012-3687 : kuzzcc CVE-2012-3688 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3692 : Skylined of the Google Chrome Security Team, Apple Product Security CVE-2012-3699 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3700 : Apple Product Security CVE-2012-3701 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3702 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3703 : Apple Product Security CVE-2012-3704 : Skylined of the Google Chrome Security Team CVE-2012-3705 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3706 : Apple Product Security CVE-2012-3707 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3708 : Apple CVE-2012-3709 : Apple Product Security CVE-2012-3710 : James Robinson of Google CVE-2012-3711 : Skylined of the Google Chrome Security Team CVE-2012-3712 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer iTunes 10.7 may be obtained from: http://www.apple.com/itunes/download/ For Windows XP / Vista / Windows 7: The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 499c39aad4a05c76286e3159f4e1e081dab8fe86 For 64-bit Windows XP / Vista / Windows 7: The download file is named: "iTunes64Setup.exe" Its SHA-1 digest is: c632854371097edbf3d831f7f2d449297d9f988e Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQUMRFAAoJEPefwLHPlZEwmlsP/2mlVZEsRtFPk3k/mkYyj8gs 4j8VH6D5PNk7cR5S65L0BRM6ijmvGJ1J5WyKxdK55BtZ2gd1vGjmpruSMVptDIzF JkRQKV8koK/kqUIGI679borf8qv9hK0eFsoO8cVfGfA3LoRB94DlKl9UGhZpQjIt bKS2hsNvDO1EWaoVFZeJw6wxx37zp8XdIuneoNsEPgECJywfMtncQT1MDE0deP5D 79vb3ds44CpCV2ltdwni5n43sUmGalCyMLkuR8GkUUQ7hd631cSOXK1mw39w6CY+ kM8lpczoW8s116E44GeGSu5rrYgOfthJPO0yUolB/kdjoccEri802YLq84Y2FV9u c0T2BWMjmcoCEfuhT1JW6dL8FXTQGrQz/DvQlIzkzUf3KHVuu0pfc0V4bG202c2h zGnHNsZOY38wAFwHbISBs0BM78/G2fJeOaXil2eUu1F8ChZOw4+KqQYee9lUgM1u FBamxVVi5bzc4qj+EraLQS0X1gehKX3Riq6SwF6L7uOw0oSHTUwrqoiJq9s6CtGd 7YdxNQAugTScCWW0dCLajg5M4lW1pudOgIU1VfTnGYvqGTMsLCRL5WtJ69anQzWv 7pi898e8Wn7Iw1y3CTkoZZZNg9yD5ZvYf7FkIqEVj8ksmGliDC/O988KVg/dWQ7F HUcSouao5FGpzuLJSdhc =l7aG - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUFFVeu4yVqjM2NGpAQLS1g//Z9JDWT5svKthfAf/LciT+nlihOsbpEvF bHZawh6FbqAGPNvm+qhoqk20jkyD5vXZRl3UGLx39Hh/uATtVivuCxXP8qcr7dDY DWj+Ufedu23AGSRUtPd9Y+e8JVCG5lqDJIh1HcIU6PuYSZzJyNIEFyFqU5oAwKVN ZUm0id43l5C4guF42ewzIpTkRLJGRkfExhqpuLKA+HP0cgI3t2PKsXTcPF/U3DqN aeTS51pnWt5YgKxZEyQ4bCvbRxwFjzkPAZa40kv14hdAVAv74YrFtee6KEeB1E3M 5GVb/IiBurjSTR+6dl4uzTLXA/tX1I+dMM5wHAwWr+U9LCMdcvb4zI1OUSP1J8d/ qBGXpP7G3zFdLDyGeEgXd9Lc/BXYWLdlmE1MsP5/EQ8NNC0tRZ4zMuypGldI/kF6 nFewllm2d36l/Rn9uUerRSk3msC8Bzmvlsdp7q33p9+bIjRHEUDTtmq02y2eGgeA anChaVuq5D9xgPCfEIlUk/8Qc3mFOlwQn17n6XgV2RIAj3LhMlUSH5xPDpFg7xCx jrHRe5ZBjShWLgx2KeIoog73dKa6M56XWdwRhw3MtsRtW+94WCu2VMb/+IXsSWmx 4scMw9Re0uIidcMp7/b0zNe86WWFLDfVgpoKu0Q4GZlZ8HGQ9i6X3IanOMe+o5Ie M5Q46TCMiiM= =gynv -----END PGP SIGNATURE-----