Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2428 APPLE-SA-2015-09-16-3 iTunes 12.3 17 September 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: iTunes Publisher: Apple Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-5920 CVE-2015-5874 CVE-2015-5823 CVE-2015-5822 CVE-2015-5821 CVE-2015-5819 CVE-2015-5818 CVE-2015-5817 CVE-2015-5816 CVE-2015-5815 CVE-2015-5814 CVE-2015-5813 CVE-2015-5812 CVE-2015-5811 CVE-2015-5810 CVE-2015-5809 CVE-2015-5808 CVE-2015-5807 CVE-2015-5806 CVE-2015-5805 CVE-2015-5804 CVE-2015-5803 CVE-2015-5802 CVE-2015-5801 CVE-2015-5800 CVE-2015-5799 CVE-2015-5798 CVE-2015-5797 CVE-2015-5796 CVE-2015-5795 CVE-2015-5794 CVE-2015-5793 CVE-2015-5792 CVE-2015-5791 CVE-2015-5790 CVE-2015-5789 CVE-2015-5761 CVE-2015-5755 CVE-2015-3749 CVE-2015-3748 CVE-2015-3747 CVE-2015-3746 CVE-2015-3745 CVE-2015-3744 CVE-2015-3743 CVE-2015-3742 CVE-2015-3741 CVE-2015-3740 CVE-2015-3739 CVE-2015-3738 CVE-2015-3737 CVE-2015-3736 CVE-2015-3735 CVE-2015-3734 CVE-2015-3733 CVE-2015-3731 CVE-2015-3730 CVE-2015-3688 CVE-2015-3687 CVE-2015-3686 CVE-2015-1205 CVE-2015-1157 CVE-2015-1153 CVE-2015-1152 CVE-2014-8146 CVE-2010-3190 Reference: ASB-2015.0011 ESB-2015.2114 ESB-2015.2113 ESB-2015.2112 ESB-2015.1247 ESB-2011.0414 Original Bulletin: https://support.apple.com/kb/HT201222 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2015-09-16-3 iTunes 12.3 iTunes 12.3 is now available and addresses the following: iTunes Available for: Windows 7 and later Impact: Applications that use CoreText may be vulnerable to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the processing of text files. These issues were addressed through improved memory handling. CVE-ID CVE-2015-1157 : Apple CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team iTunes Available for: Windows 7 and later Impact: Applications that use ICU may be vulnerable to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the processing of unicode strings. These issues were addressed by updating ICU to version 55. CVE-ID CVE-2014-8146 CVE-2015-1205 iTunes Available for: Windows 7 and later Impact: Opening a media file may lead to arbitrary code execution Description: A security issue existed in Microsoft Foundation Class's handling of library loading. This issue was addressed by updating to the latest version of the Microsoft Visual C++ Redistributable Package. CVE-ID CVE-2010-3190 : Stefan Kanthak iTunes Available for: Windows 7 and later Impact: A man-in-the-middle attack while browsing the iTunes Store via iTunes may result in unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2015-1152 : Apple CVE-2015-1153 : Apple CVE-2015-3730 : Apple CVE-2015-3731 : Apple CVE-2015-3733 : Apple CVE-2015-3734 : Apple CVE-2015-3735 : Apple CVE-2015-3736 : Apple CVE-2015-3737 : Apple CVE-2015-3738 : Apple CVE-2015-3739 : Apple CVE-2015-3740 : Apple CVE-2015-3741 : Apple CVE-2015-3742 : Apple CVE-2015-3743 : Apple CVE-2015-3744 : Apple CVE-2015-3745 : Apple CVE-2015-3746 : Apple CVE-2015-3747 : Apple CVE-2015-3748 : Apple CVE-2015-3749 : Apple CVE-2015-5789 : Apple CVE-2015-5790 : Apple CVE-2015-5791 : Apple CVE-2015-5792 : Apple CVE-2015-5793 : Apple CVE-2015-5794 : Apple CVE-2015-5795 : Apple CVE-2015-5796 : Apple CVE-2015-5797 : Apple CVE-2015-5798 : Apple CVE-2015-5799 : Apple CVE-2015-5800 : Apple CVE-2015-5801 : Apple CVE-2015-5802 : Apple CVE-2015-5803 : Apple CVE-2015-5804 : Apple CVE-2015-5805 CVE-2015-5806 : Apple CVE-2015-5807 : Apple CVE-2015-5808 : Joe Vennix CVE-2015-5809 : Apple CVE-2015-5810 : Apple CVE-2015-5811 : Apple CVE-2015-5812 : Apple CVE-2015-5813 : Apple CVE-2015-5814 : Apple CVE-2015-5815 : Apple CVE-2015-5816 : Apple CVE-2015-5817 : Apple CVE-2015-5818 : Apple CVE-2015-5819 : Apple CVE-2015-5821 : Apple CVE-2015-5822 : Mark S. Miller of Google CVE-2015-5823 : Apple Software Update Impact: An attacker in a privileged network position may be able to obtain encrypted SMB credentials Description: A redirection issue existed in the handling of certain network connections. This issue was addressed through improved resource validation. CVE-ID CVE-2015-5920 : Cylance iTunes 12.3 may be obtained from: http://www.apple.com/itunes/download/ You may also update to the latest version of iTunes via Apple Software Update, which can be found in the Start menu. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV+axbAAoJEBcWfLTuOo7tLSYP/1NCYHZeWYxqLnLgHgCcNRF/ iqZ7hq9UgxomXxoDVknvvWc61Z+UW6VIgGzEfzSlO9APIGC7ia1tdKl66oMEYSal aGt5AJc9c55RuuvgF/IxgICRsuXjHsAmlQb5FPqwe2gSJYxggCfhObdQ/ShbP2kp mV8sYiJJiKkYZqFDH17fvtAWV3GZ7CtXfneWDHlerJunbuUzWLpjWcYwbaiD/1C2 5CTohgHbTMtG2MGRacFXeYAXFhbnr6mXcxy+7Zee3B6x33/ypA/Q+KaIxPv4bssr 7XXzYin8bdMHlW6MWuCmyzJd2P/4opKvzNeyoZb1BM02k0Fb7SWDMwFA9UVovsX5 yCNKn0rg1nMhbXLjpob7G0GYfHNeGOy5PqKu3PXF++R4H5kGr9v2CZH+8dIU5+J7 LFyDSBZ4vlMsCYTRfI1PEUM6w3d+whrBl9vagVeJZG5gkSrZXftALjZsQXUhgqZH mKDcSj/leCTbbbHMPq/NngQuUXzVRe+SJwVtSJEfQSg2yGCdBGTsjqftcOeDgVUL vHR0KkZ4lVx5Aq48XFfXXvn5d3g+kP5pTeVbGdWFmf7XNDp3Vap5ATlTF5UF4EKt jHPGMzWZwvEkdzDryynsTzrMR3TjTb7dDtXH6LEoKfOwIyxnH6+g8K1DbgdXgiJo dL48EUi+MBq820BzP1fp =cz5N - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVfoVF36ZAP0PgtI9AQKLuBAAhRSsitRxTtCSUkos/hPH3d3mDW/FOdVN A3kG9AKoqIZWAEbyt9xyqRTT8aZla/jSCPjHuaE4UT+07xeeG2VI/Q9t54AWwmhA pSjB31urE7U7E90d4P7OGZZYm4r0/F3ijvpyEcNYfWH8MtFTtm6tA+e01iGGufau 5GJhCLQkhCWVFIz06+LlqF3DAoHRNlLbZfg7NcrOuTbsSsRdYT2cZeBc6aqWnbUd +nDhQNaCYrQwa+KNqNND3TylzOHZVUOiYT7GsIE74urNK2p+06IcNoy6YR8veuyr wYkJDICnMsZ120Iur0/bNBPe5tgsDt0JDRBX+7fB2yDFc8o36J9/0HP9nF+WclX6 aOX9VGwvwSwLScxkJ0sQF4UibTw8lGxflZW31djI+KM5INXla98z4r9khopXmDqg 44iKrJ5EZ99bJZ31CzQpucl/csNj2+nMQyCXmKm298/V7GpCiptln7RlvLvL5Q+j tFmmK55QJ4Zq9mOSJ1UCS0WIc7F2yo+rF1CqWtqI+GBmTKGLnJO8DdAgkW47pSyS jpORz2cXBuyj9uE016vMjfSCa23fewwa8Eqn8JUwZIxBrdPIVzrQwkAD/S1zFjsE y7q2wdILwtadcf2t7vVq2OV9lsWGpFwBb7n+49o6FamlsADz+lmGi6/p5WQjRLBN v07E9RdvVg0= =MqNn -----END PGP SIGNATURE-----