For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
iTunes 11.1.4
-
iTunes
Available for: Mac OS X v10.6.8 or later, Windows 8, Windows 7, Vista, and XP SP2 or later
Impact: An attacker with a privileged network position may control the contents of the iTunes Tutorials window
Description: The contents of the iTunes Tutorials window are retrieved from the network using an unprotected HTTP connection. An attacker with a privileged network position may inject arbitrary contents. This issue was addressed by using an encrypted HTTPS connection to retrieve tutorials.
CVE-ID
CVE-2014-1242 : Apple
-
iTunes
Available for: Windows 8, Windows 7, Vista, and XP SP2 or later
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the handling of text tracks. This issue was addressed by additional validation of text tracks.
CVE-ID
CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation
-
iTunes
Available for: Windows 8, Windows 7, Vista, and XP SP2 or later
Impact: A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-1037 : Google Chrome Security Team
CVE-2013-1038 : Google Chrome Security Team
CVE-2013-1039 : own-hero Research working with iDefense VCP
CVE-2013-1040 : Google Chrome Security Team
CVE-2013-1041 : Google Chrome Security Team
CVE-2013-1042 : Google Chrome Security Team
CVE-2013-1043 : Google Chrome Security Team
CVE-2013-1044 : Apple
CVE-2013-1045 : Google Chrome Security Team
CVE-2013-1046 : Google Chrome Security Team
CVE-2013-1047 : miaubiz
CVE-2013-2842 : Cyril Cattiaux
CVE-2013-5125 : Google Chrome Security Team
CVE-2013-5126 : Apple
CVE-2013-5127 : Google Chrome Security Team
CVE-2013-5128 : Apple
-
libxml
Available for: Windows 8, Windows 7, Vista, and XP SP2 or later
Impact: A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libxml. These issues were addressed by updating libxml to version 2.9.0.
CVE-ID
CVE-2011-3102 : Jüri Aedla
CVE-2012-0841
CVE-2012-2807 : Jüri Aedla
CVE-2012-5134 : Google Chrome Security Team (Jüri Aedla)
-
libxslt
Available for: Windows 8, Windows 7, Vista, and XP SP2 or later
Impact: A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libxslt. These issues were addressed by updating libxslt to version 1.1.28.
CVE-ID
CVE-2012-2825 : Nicolas Gregoire
CVE-2012-2870 : Nicolas Gregoire
CVE-2012-2871 : Kai Lu of Fortinet's FortiGuard Labs, Nicolas Gregoire