About the security content of iTunes 11.0.3

Learn about the security content of iTunes 11.0.3.

This document describes the security content of iTunes 11.0.3, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates".

iTunes 11.0.3

  • iTunes

    Available for: Mac OS X v10.6.8 or later, Windows 7, Vista, XP SP2 or later

    Impact: An attacker in a privileged network position may manipulate HTTPS server certificates, leading to the disclosure of sensitive information

    Description: A certificate validation issue existed in iTunes. In certain contexts, an active network attacker could present untrusted certificates to iTunes and they would be accepted without warning. This issue was resolved by improved certificate validation.

    CVE-ID

    CVE-2013-1014 : Christopher of ThinkSECURE Pte Ltd, Christopher Hickstein of University of Minnesota

  • iTunes

    Available for: Windows 7, Vista, XP SP2 or later

    Impact: A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2012-2824 : miaubiz

    CVE-2012-2857 : Arthur Gerkis

    CVE-2012-3748 : Joost Pol and Daan Keuper of Certified Secure working with HP TippingPoint's Zero Day Initiative

    CVE-2012-5112 : Pinkie Pie working with Google's Pwnium 2 contest

    CVE-2013-0879 : Atte Kettunen of OUSPG

    CVE-2013-0912 : Nils and Jon from MWR Labs working with HP TippingPoint's Zero Day Initiative

    CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2013-0951 : Apple

    CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team

    CVE-2013-0955 : Apple

    CVE-2013-0956 : Apple Product Security

    CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security Team

    CVE-2013-0960 : Apple

    CVE-2013-0961 : wushi of team509 working with iDefense VCP

    CVE-2013-0991 : Jay Civelli of the Chromium development community

    CVE-2013-0992 : Google Chrome Security Team (Martin Barbella)

    CVE-2013-0993 : Google Chrome Security Team (Inferno)

    CVE-2013-0994 : David German of Google

    CVE-2013-0995 : Google Chrome Security Team (Inferno)

    CVE-2013-0996 : Google Chrome Security Team (Inferno)

    CVE-2013-0997 : Vitaliy Toropov working with HP TippingPoint's Zero Day Initiative

    CVE-2013-0998 : pa_kt working with HP TippingPoint's Zero Day Initiative

    CVE-2013-0999 : pa_kt working with HP TippingPoint's Zero Day Initiative

    CVE-2013-1000 : Fermin J. Serna of the Google Security Team

    CVE-2013-1001 : Ryan Humenick

    CVE-2013-1002 : Sergey Glazunov

    CVE-2013-1003 : Google Chrome Security Team (Inferno)

    CVE-2013-1004 : Google Chrome Security Team (Martin Barbella)

    CVE-2013-1005 : Google Chrome Security Team (Martin Barbella)

    CVE-2013-1006 : Google Chrome Security Team (Martin Barbella)

    CVE-2013-1007 : Google Chrome Security Team (Inferno)

    CVE-2013-1008 : Sergey Glazunov

    CVE-2013-1010 : miaubiz

    CVE-2013-1011 : Google Chrome Security Team (Inferno)

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: