About the security content of iTunes 12.10.8 for Windows
This document describes the security content of iTunes 12.10.8 for Windows.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss or confirm security issues until an investigation has taken place and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
iTunes 12.10.8 for Windows
CoreGraphics
Available for: Windows 7 and later
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2020-9883: an anonymous researcher, Mickey Jin of Trend Micro
ImageIO
Available for: Windows 7 and later
Impact: processing a maliciously crafted image may lead to arbitrary code execution
Description: a memory corruption issue was addressed with improved input validation.
CVE-2020-27933: Xingwei Lin of Ant-Financial Light-Year Security Lab
ImageIO
Available for: Windows 7 and later
Impact: multiple buffer overflow issues existed in openEXR
Description: multiple issues in openEXR were addressed with improved checks.
CVE-2020-11758: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-11759: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-11760: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-11761: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-11762: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-11763: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-11764: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-11765: Xingwei Lin of Ant-Financial Light-Year Security Lab
ImageIO
Available for: Windows 7 and later
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2020-9871: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-9872: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-9874: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-9879: Xingwei Lin of Ant-financial Light-Year Security Lab
CVE-2020-9936: Mickey Jin of Trend Micro
CVE-2020-9937: Xingwei Lin of Ant-financial Light-Year Security Lab
ImageIO
Available for: Windows 7 and later
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2020-9873: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-9938: Xingwei Lin of Ant-Financial Light-Year Security Lab
CVE-2020-9984: an anonymous researcher
ImageIO
Available for: Windows 7 and later
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2020-9919: Mickey Jin of Trend Micro
ImageIO
Available for: Windows 7 and later
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: an out-of-bounds write issue was addressed with improved bounds checking.
CVE-2020-9876: Mickey Jin of Trend Micro
ImageIO
Available for: Windows 7 and later
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2020-9877: Xingwei Lin of Ant-Financial Light-Year Security Lab
ImageIO
Available for: Windows 7 and later
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: an integer overflow was addressed through improved input validation.
CVE-2020-9875: Mickey Jin of Trend Micro
libxml2
Available for: Windows 7 and later
Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2020-9926: Found by OSS-Fuzz
WebKit
Available for: Windows 7 and later
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.
CVE-2020-9915: Ayoub AIT ELMOKHTAR of Noon
WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue was addressed with improved state management.
CVE-2020-9925: an anonymous researcher
WebKit
Available for: Windows 7 and later
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative
CVE-2020-9895: Wen Xu of SSLab, Georgia Tech
WebKit
Available for: Windows 7 and later
Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
Description: Multiple issues were addressed with improved logic.
CVE-2020-9910: Samuel Groß of Google Project Zero
WebKit Page Loading
Available for: Windows 7 and later
Impact: A malicious attacker may be able to conceal the destination of a URL
Description: A URL Unicode encoding issue was addressed with improved state management.
CVE-2020-9916: Rakesh Mane (@RakeshMane10)
WebKit Web Inspector
Available for: Windows 7 and later
Impact: Copying a URL from Web Inspector may lead to command injection
Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.
CVE-2020-9862: Ophir Lojkine (@lovasoa)
Additional recognition
ImageIO
We would like to acknowledge Xingwei Lin of Ant-Financial Light-Year Security Lab for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.