Operating System:

[WIN]

Published:

25 March 2020

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2020.1046 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1046
                        iTunes for Windows 12.10.5
                               25 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iTunes
Publisher:         Apple
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-9783 CVE-2020-3911 CVE-2020-3910
                   CVE-2020-3909 CVE-2020-3902 CVE-2020-3901
                   CVE-2020-3900 CVE-2020-3899 CVE-2020-3897
                   CVE-2020-3895 CVE-2020-3894 CVE-2020-3887
                   CVE-2020-3885  

Reference:         ESB-2020.1042
                   ESB-2020.1041

Original Bulletin: 
   https://support.apple.com/en-au/HT201222

- --------------------------BEGIN INCLUDED TEXT--------------------

APPLE-SA-2020-03-24-6 iTunes for Windows 12.10.5

iTunes for Windows 12.10.5 is now available and addresses the
following:

libxml2
Available for: Windows 7 and later
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved size
validation.
CVE-2020-3910: LGTM.com

libxml2
Available for: Windows 7 and later
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved bounds
checking.
CVE-2020-3909: LGTM.com
CVE-2020-3911: found by OSS-Fuzz

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2020-3901: Benjamin Randazzo (@____benjamin)

WebKit
Available for: Windows 7 and later
Impact: A download's origin may be incorrectly associated
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3887: Ryan Pickren (ryanpickren.com)

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-3895: grigoritchy
CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech

WebKit
Available for: Windows 7 and later
Impact: An application may be able to read restricted memory
Description: A race condition was addressed with additional
validation.
CVE-2020-3894: Sergei Glazunov of Google Project Zero

WebKit
Available for: Windows 7 and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro's
Zero Day Initiative

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to code
execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9783: Apple

WebKit
Available for: Windows 7 and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A memory consumption issue was addressed with improved
memory handling.
CVE-2020-3899: found by OSS-Fuzz

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2020-3902: Yigit Can YILMAZ (@yilmazcanyigit)

WebKit Page Loading
Available for: Windows 7 and later
Impact: A file URL may be incorrectly processed
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3885: Ryan Pickren (ryanpickren.com)

Additional recognition

WebKit
We would like to acknowledge Emilio Cobos Alvarez of Mozilla, Samuel
Gross of Google Project Zero, and an anonymous researcher for their
assistance.

Installation note:

iTunes for Windows 12.10.5 may be obtained from:
https://www.apple.com/itunes/download/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXnq/iWaOgq3Tt24GAQiQCA//WyV824JUj6NMeN9vswDq53aVCnr4LmZZ
zSD/ttFFPFf2vLfDDqOjXRqP11kGYk1FwX8LBm1hQdsj4CAhmLCumdXavQ7nqQE5
sdSDve3oIE5h85rfN5D6Qd4hpoH9jSio9T5QW2oYyvfUIXwQ07RBJKY7Wx5R1Pyq
AYd8rTodRG0y7eD3WCjxYnhQSUxLFn2PgFMDgRrr5wrfwmLVxLbqhHtU5JJwJEaf
+mlN+ew37k49ZHycNCC53HAiaLZlp8i4LQskiLF9K2QnzfDb04LvMDrtuod6ipe7
zElNSdOnBqnN/XGBd4VaJkhjX4XOU0HPWwggVVol9jRV8fCPGba4olgRb6kAM2Qd
/qrqOzLPLxJUQDMDDkVPv5LrreD5NscH1qEyeMV3aOeX80T3FmjTqe9m/6NBcTZN
g4s4xvB3OyMx3HJod8ieC7we8RviBrt0OyDZX6faSWjz38pDGPSF9mpD9rPJJsCT
lFCR7KThtHTUw2LQjjW62ER/q0q/ZcTUVzvUWOzY1G70W55ir1+oZ362JRFsEfNa
e9BWFmIstJdYrQLKrA4vCiBPI4sNuxpS1BfrNDJdB41yyeMLq/t9s97A19gxvr3i
f1UQ+DmXckqXnzlJ+LDxM3mNJp3dfvWmyB/jLGY5mgD7aOKApCWBJpmf0tp0+l0X
WEAVJHZnuj8=
=WnNH
-----END PGP SIGNATURE-----