About the security content of iTunes 11.0.3

Learn about the security content of iTunes 11.0.3.

This document describes the security content of iTunes 11.0.3, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

iTunes 11.0.3

• iTunes

  Available for: Mac OS X v10.6.8 or later, Windows 7, Vista, XP SP2 or later

  Impact: An attacker in a privileged network position may manipulate HTTPS server certificates, leading to the disclosure of sensitive information

  Description: A certificate validation issue existed in iTunes. In certain contexts, an active network attacker could present untrusted certificates to iTunes and they would be accepted without warning. This issue was resolved by improved certificate validation.

  CVE-ID

  CVE-2013-1014 : Christopher of ThinkSECURE Pte Ltd, Christopher Hickstein of University of Minnesota

• iTunes

  Available for: Windows 7, Vista, XP SP2 or later

  Impact: A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution

  Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

  CVE-ID

  CVE-2012-2824 : miaubiz

  CVE-2012-2857 : Arthur Gerkis

  CVE-2012-3748 : Joost Pol and Daan Keuper of Certified Secure working with HP TippingPoint's Zero Day Initiative

  CVE-2012-5112 : Pinkie Pie working with Google's Pwnium 2 contest

  CVE-2013-0879 : Atte Kettunen of OUSPG

  CVE-2013-0912 : Nils and Jon from MWR Labs working with HP TippingPoint's Zero Day Initiative

  CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2013-0951 : Apple

  CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team

  CVE-2013-0955 : Apple

  CVE-2013-0956 : Apple Product Security

  CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security Team

  CVE-2013-0960 : Apple

  CVE-2013-0961 : wushi of team509 working with iDefense VCP

  CVE-2013-0991 : Jay Civelli of the Chromium development community

  CVE-2013-0992 : Google Chrome Security Team (Martin Barbella)

  CVE-2013-0993 : Google Chrome Security Team (Inferno)

  CVE-2013-0994 : David German of Google

  CVE-2013-0995 : Google Chrome Security Team (Inferno)

  CVE-2013-0996 : Google Chrome Security Team (Inferno)

  CVE-2013-0997 : Vitaliy Toropov working with HP TippingPoint's Zero Day Initiative

  CVE-2013-0998 : pa_kt working with HP TippingPoint's Zero Day Initiative

  CVE-2013-0999 : pa_kt working with HP TippingPoint's Zero Day Initiative

  CVE-2013-1000 : Fermin J. Serna of the Google Security Team

  CVE-2013-1001 : Ryan Humenick

  CVE-2013-1002 : Sergey Glazunov

  CVE-2013-1003 : Google Chrome Security Team (Inferno)

  CVE-2013-1004 : Google Chrome Security Team (Martin Barbella)

  CVE-2013-1005 : Google Chrome Security Team (Martin Barbella)

  CVE-2013-1006 : Google Chrome Security Team (Martin Barbella)

  CVE-2013-1007 : Google Chrome Security Team (Inferno)

  CVE-2013-1008 : Sergey Glazunov

  CVE-2013-1010 : miaubiz

  CVE-2013-1011 : Google Chrome Security Team (Inferno)