Operating System:

[WIN]

Published:

27 April 2021

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2021.1423 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1423
                     Apple security update for iTunes
                               27 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iTunes
Publisher:         Apple
Operating System:  Windows
Impact/Access:     Denial of Service        -- Remote/Unauthenticated      
                   Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-1857 CVE-2021-1825 CVE-2021-1811
                   CVE-2020-7463  

Reference:         ESB-2021.1408

Original Bulletin: 
   https://support.apple.com/HT212319

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2021-04-26-9 iTunes 12.11.3 for Windows

iTunes 12.11.3 for Windows addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212319.

CFNetwork
Available for: Windows 10 and later
Impact: Processing maliciously crafted web content may disclose
sensitive user information
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2021-1857: an anonymous researcher

CoreText
Available for: Windows 10 and later
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: A logic issue was addressed with improved state
management.
CVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab

WebKit
Available for: Windows 10 and later
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2021-1825: Alex Camboe of Aonâ\x{128}\x{153}s Cyber Solutions

WebRTC
Available for: Windows 10 and later
Impact: A remote attacker may be able to cause unexpected system
termination or corrupt kernel memory
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-7463: Megan2013678

Installation note:

This update may be obtained from: https://www.apple.com/itunes/download

Additional recognition

CoreCrypto
We would like to acknowledge Andy Russon of Orange Group for their
assistance.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAmCHO44ACgkQZcsbuWJ6
jjArzRAAldgXX1lo6Y4ka3jXfPbXfAoX9lJkSlMu/W/mURmjfbs9cWRPp645AX61
QU09meDWVHMNpPKYwFh1G2Tuq7c8WjtPRshnEYn7LpRW4ViF//UBys0T3k0w6pw5
bSEFFRaXViBpN761eDARxnVTgeWShTD89JJt4VWtYBc/DK6+le20+XhJB7A9sUET
QJqR1rjAimZOwm9mEkfzkXpq0y5mKMagGcuxBZs4mAuUZD28gytLWiYz5yb9LhQK
0eYdhDtxVHQB/sto++NGa4oxGlKK7r3Uo4ICAUegOFmbkYpYO2t0tlt/hvlIoJgx
sn6XpEbOsCMpmBZfIkFfLlWxuV6TFJ+3fZbTYuyuq65ytkGAVsRGe3PUIzq0mVfV
eM1QbKCOJ+Evt8T6IfkVBlmi6ggG02A4tTR9Hf7i4JSsqNnd+hlZXQ3VwFUWe4/n
jfhmllz6GwJiTFN28bK6iO8EB9ITqTMc6GH9SgQxXA/7T4BNNSNWzxVRDSJLgPS4
sS2QmHqRoniOIraD8aIiqnajhXI1S5Q4/KF+bkGZNFNfxznEEUTsoLhUvXYqnA43
PLEkCTAOhrVWCZ18fw9B2C2J8fPm6KRnv8ER6svsnf2X9dV8pQwWiIn8kva2EPOV
7dPXBK+vp/jGAYDXhy0m5FIanped7dhJPa2Hg5xYAHXEjHLB+BA=
=w/gh
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYIedFONLKJtyKPYoAQiv+BAAi6etLJQlXMNS72S4LXD1uzo9cdvhbjez
Vz3eo/zORChNWYZe7e8bl9IkzOwyLfFrfyqB+YazXKLKw0C/s4nixk5rxS16oBEV
E9UEQVkgu4i3mjcGFop0GNoasf7OIGpTqE/smI2ux1/45I1vf1HVojTrb+nhdKlN
7iwqmarBXS9lUBYf9YKFcWlotYF2qyzUv010kD3VpI/x/qBZA5rMe/fDbwCTP44K
M79ItylFb+MvKolD/acrdGI8ZH72pXdgZAZq09v09TufNpMbDqiXCtkYifzSK1Gh
QYwL9stBLHW6O0eFXyldOcJ3z47hKB52Q9NP5YjLjAf3oP3CT64J3cnx1zRgIMc0
NvUOIWuEmzOh1qwl3NH0XDgPsjUElwLJ7DWRN7VynB0g+M2kGAqFrjbqGz22wpAy
ZqJE9wTdsbDl5leqYnJlMJQUXYi9mmtSkKn8BMKlFlfMEVpsgnGkKj6/1D1Bwk3R
U5o4I/FvD0jW6tHZs1zT3mFHmZVUFgjr2uJcNowGTF+F6ERVu1uIbPUYPMA8mkpR
T6AtUzjl8RlLfATwyq7WeoWBdsiY/a8dV+5L14TYbXKpfuB7oHoEWTpPkDewibgo
gQUmSUFDQz126MCwSPlthv9wvrpfDs/JNaYndRAMUCbaFkxrS7CXCBViSflMr8gT
4U2568g0jzM=
=08gL
-----END PGP SIGNATURE-----