Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2428
APPLE-SA-2015-09-16-3 iTunes 12.3
17 September 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: iTunes
Publisher: Apple
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-5920 CVE-2015-5874 CVE-2015-5823
CVE-2015-5822 CVE-2015-5821 CVE-2015-5819
CVE-2015-5818 CVE-2015-5817 CVE-2015-5816
CVE-2015-5815 CVE-2015-5814 CVE-2015-5813
CVE-2015-5812 CVE-2015-5811 CVE-2015-5810
CVE-2015-5809 CVE-2015-5808 CVE-2015-5807
CVE-2015-5806 CVE-2015-5805 CVE-2015-5804
CVE-2015-5803 CVE-2015-5802 CVE-2015-5801
CVE-2015-5800 CVE-2015-5799 CVE-2015-5798
CVE-2015-5797 CVE-2015-5796 CVE-2015-5795
CVE-2015-5794 CVE-2015-5793 CVE-2015-5792
CVE-2015-5791 CVE-2015-5790 CVE-2015-5789
CVE-2015-5761 CVE-2015-5755 CVE-2015-3749
CVE-2015-3748 CVE-2015-3747 CVE-2015-3746
CVE-2015-3745 CVE-2015-3744 CVE-2015-3743
CVE-2015-3742 CVE-2015-3741 CVE-2015-3740
CVE-2015-3739 CVE-2015-3738 CVE-2015-3737
CVE-2015-3736 CVE-2015-3735 CVE-2015-3734
CVE-2015-3733 CVE-2015-3731 CVE-2015-3730
CVE-2015-3688 CVE-2015-3687 CVE-2015-3686
CVE-2015-1205 CVE-2015-1157 CVE-2015-1153
CVE-2015-1152 CVE-2014-8146 CVE-2010-3190
Reference: ASB-2015.0011
ESB-2015.2114
ESB-2015.2113
ESB-2015.2112
ESB-2015.1247
ESB-2011.0414
Original Bulletin:
https://support.apple.com/kb/HT201222
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-09-16-3 iTunes 12.3
iTunes 12.3 is now available and addresses the following:
iTunes
Available for: Windows 7 and later
Impact: Applications that use CoreText may be vulnerable to
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-1157 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team
iTunes
Available for: Windows 7 and later
Impact: Applications that use ICU may be vulnerable to unexpected
application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
processing of unicode strings. These issues were addressed by
updating ICU to version 55.
CVE-ID
CVE-2014-8146
CVE-2015-1205
iTunes
Available for: Windows 7 and later
Impact: Opening a media file may lead to arbitrary code execution
Description: A security issue existed in Microsoft Foundation
Class's handling of library loading. This issue was addressed by
updating to the latest version of the Microsoft Visual C++
Redistributable Package.
CVE-ID
CVE-2010-3190 : Stefan Kanthak
iTunes
Available for: Windows 7 and later
Impact: A man-in-the-middle attack while browsing the iTunes Store
via iTunes may result in unexpected application termination or
arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
CVE-2015-3730 : Apple
CVE-2015-3731 : Apple
CVE-2015-3733 : Apple
CVE-2015-3734 : Apple
CVE-2015-3735 : Apple
CVE-2015-3736 : Apple
CVE-2015-3737 : Apple
CVE-2015-3738 : Apple
CVE-2015-3739 : Apple
CVE-2015-3740 : Apple
CVE-2015-3741 : Apple
CVE-2015-3742 : Apple
CVE-2015-3743 : Apple
CVE-2015-3744 : Apple
CVE-2015-3745 : Apple
CVE-2015-3746 : Apple
CVE-2015-3747 : Apple
CVE-2015-3748 : Apple
CVE-2015-3749 : Apple
CVE-2015-5789 : Apple
CVE-2015-5790 : Apple
CVE-2015-5791 : Apple
CVE-2015-5792 : Apple
CVE-2015-5793 : Apple
CVE-2015-5794 : Apple
CVE-2015-5795 : Apple
CVE-2015-5796 : Apple
CVE-2015-5797 : Apple
CVE-2015-5798 : Apple
CVE-2015-5799 : Apple
CVE-2015-5800 : Apple
CVE-2015-5801 : Apple
CVE-2015-5802 : Apple
CVE-2015-5803 : Apple
CVE-2015-5804 : Apple
CVE-2015-5805
CVE-2015-5806 : Apple
CVE-2015-5807 : Apple
CVE-2015-5808 : Joe Vennix
CVE-2015-5809 : Apple
CVE-2015-5810 : Apple
CVE-2015-5811 : Apple
CVE-2015-5812 : Apple
CVE-2015-5813 : Apple
CVE-2015-5814 : Apple
CVE-2015-5815 : Apple
CVE-2015-5816 : Apple
CVE-2015-5817 : Apple
CVE-2015-5818 : Apple
CVE-2015-5819 : Apple
CVE-2015-5821 : Apple
CVE-2015-5822 : Mark S. Miller of Google
CVE-2015-5823 : Apple
Software Update
Impact: An attacker in a privileged network position may be able to
obtain encrypted SMB credentials
Description: A redirection issue existed in the handling of certain
network connections. This issue was addressed through improved
resource validation.
CVE-ID
CVE-2015-5920 : Cylance
iTunes 12.3 may be obtained from:
http://www.apple.com/itunes/download/
You may also update to the latest version of iTunes via Apple
Software Update, which can be found in the Start menu.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJV+axbAAoJEBcWfLTuOo7tLSYP/1NCYHZeWYxqLnLgHgCcNRF/
iqZ7hq9UgxomXxoDVknvvWc61Z+UW6VIgGzEfzSlO9APIGC7ia1tdKl66oMEYSal
aGt5AJc9c55RuuvgF/IxgICRsuXjHsAmlQb5FPqwe2gSJYxggCfhObdQ/ShbP2kp
mV8sYiJJiKkYZqFDH17fvtAWV3GZ7CtXfneWDHlerJunbuUzWLpjWcYwbaiD/1C2
5CTohgHbTMtG2MGRacFXeYAXFhbnr6mXcxy+7Zee3B6x33/ypA/Q+KaIxPv4bssr
7XXzYin8bdMHlW6MWuCmyzJd2P/4opKvzNeyoZb1BM02k0Fb7SWDMwFA9UVovsX5
yCNKn0rg1nMhbXLjpob7G0GYfHNeGOy5PqKu3PXF++R4H5kGr9v2CZH+8dIU5+J7
LFyDSBZ4vlMsCYTRfI1PEUM6w3d+whrBl9vagVeJZG5gkSrZXftALjZsQXUhgqZH
mKDcSj/leCTbbbHMPq/NngQuUXzVRe+SJwVtSJEfQSg2yGCdBGTsjqftcOeDgVUL
vHR0KkZ4lVx5Aq48XFfXXvn5d3g+kP5pTeVbGdWFmf7XNDp3Vap5ATlTF5UF4EKt
jHPGMzWZwvEkdzDryynsTzrMR3TjTb7dDtXH6LEoKfOwIyxnH6+g8K1DbgdXgiJo
dL48EUi+MBq820BzP1fp
=cz5N
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVfoVF36ZAP0PgtI9AQKLuBAAhRSsitRxTtCSUkos/hPH3d3mDW/FOdVN
A3kG9AKoqIZWAEbyt9xyqRTT8aZla/jSCPjHuaE4UT+07xeeG2VI/Q9t54AWwmhA
pSjB31urE7U7E90d4P7OGZZYm4r0/F3ijvpyEcNYfWH8MtFTtm6tA+e01iGGufau
5GJhCLQkhCWVFIz06+LlqF3DAoHRNlLbZfg7NcrOuTbsSsRdYT2cZeBc6aqWnbUd
+nDhQNaCYrQwa+KNqNND3TylzOHZVUOiYT7GsIE74urNK2p+06IcNoy6YR8veuyr
wYkJDICnMsZ120Iur0/bNBPe5tgsDt0JDRBX+7fB2yDFc8o36J9/0HP9nF+WclX6
aOX9VGwvwSwLScxkJ0sQF4UibTw8lGxflZW31djI+KM5INXla98z4r9khopXmDqg
44iKrJ5EZ99bJZ31CzQpucl/csNj2+nMQyCXmKm298/V7GpCiptln7RlvLvL5Q+j
tFmmK55QJ4Zq9mOSJ1UCS0WIc7F2yo+rF1CqWtqI+GBmTKGLnJO8DdAgkW47pSyS
jpORz2cXBuyj9uE016vMjfSCa23fewwa8Eqn8JUwZIxBrdPIVzrQwkAD/S1zFjsE
y7q2wdILwtadcf2t7vVq2OV9lsWGpFwBb7n+49o6FamlsADz+lmGi6/p5WQjRLBN
v07E9RdvVg0=
=MqNn
-----END PGP SIGNATURE-----