Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0874
iTunes 10.7
13 September 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: iTunes
Publisher: Apple
Operating System: Windows 7
Windows Vista
Windows XP
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3712 CVE-2012-3711 CVE-2012-3710
CVE-2012-3709 CVE-2012-3708 CVE-2012-3707
CVE-2012-3706 CVE-2012-3705 CVE-2012-3704
CVE-2012-3703 CVE-2012-3702 CVE-2012-3701
CVE-2012-3700 CVE-2012-3699 CVE-2012-3692
CVE-2012-3688 CVE-2012-3687 CVE-2012-3686
CVE-2012-3685 CVE-2012-3684 CVE-2012-3683
CVE-2012-3682 CVE-2012-3681 CVE-2012-3680
CVE-2012-3679 CVE-2012-3678 CVE-2012-3677
CVE-2012-3676 CVE-2012-3675 CVE-2012-3674
CVE-2012-3673 CVE-2012-3672 CVE-2012-3671
CVE-2012-3670 CVE-2012-3669 CVE-2012-3668
CVE-2012-3667 CVE-2012-3666 CVE-2012-3665
CVE-2012-3664 CVE-2012-3663 CVE-2012-3661
CVE-2012-3660 CVE-2012-3659 CVE-2012-3658
CVE-2012-3657 CVE-2012-3656 CVE-2012-3655
CVE-2012-3654 CVE-2012-3653 CVE-2012-3652
CVE-2012-3651 CVE-2012-3649 CVE-2012-3648
CVE-2012-3647 CVE-2012-3646 CVE-2012-3645
CVE-2012-3644 CVE-2012-3643 CVE-2012-3642
CVE-2012-3641 CVE-2012-3640 CVE-2012-3639
CVE-2012-3638 CVE-2012-3637 CVE-2012-3636
CVE-2012-3635 CVE-2012-3634 CVE-2012-3633
CVE-2012-3632 CVE-2012-3631 CVE-2012-3630
CVE-2012-3629 CVE-2012-3628 CVE-2012-3627
CVE-2012-3626 CVE-2012-3625 CVE-2012-3624
CVE-2012-3623 CVE-2012-3622 CVE-2012-3621
CVE-2012-3620 CVE-2012-3618 CVE-2012-3617
CVE-2012-3616 CVE-2012-3615 CVE-2012-3614
CVE-2012-3613 CVE-2012-3612 CVE-2012-3611
CVE-2012-3610 CVE-2012-3609 CVE-2012-3608
CVE-2012-3607 CVE-2012-3606 CVE-2012-3605
CVE-2012-3604 CVE-2012-3603 CVE-2012-3602
CVE-2012-3601 CVE-2012-3600 CVE-2012-3599
CVE-2012-3598 CVE-2012-3597 CVE-2012-3596
CVE-2012-3595 CVE-2012-3594 CVE-2012-3593
CVE-2012-3592 CVE-2012-3591 CVE-2012-3590
CVE-2012-3589 CVE-2012-2843 CVE-2012-2842
CVE-2012-2831 CVE-2012-2829 CVE-2012-2818
CVE-2012-2817 CVE-2012-1521 CVE-2012-1520
CVE-2012-0683 CVE-2012-0682 CVE-2011-3971
CVE-2011-3969 CVE-2011-3968 CVE-2011-3966
CVE-2011-3958 CVE-2011-3926 CVE-2011-3924
CVE-2011-3913 CVE-2011-3105 CVE-2011-3090
CVE-2011-3089 CVE-2011-3086 CVE-2011-3081
CVE-2011-3078 CVE-2011-3076 CVE-2011-3075
CVE-2011-3074 CVE-2011-3073 CVE-2011-3071
CVE-2011-3069 CVE-2011-3068 CVE-2011-3064
CVE-2011-3060 CVE-2011-3059 CVE-2011-3053
CVE-2011-3050 CVE-2011-3044 CVE-2011-3043
CVE-2011-3042 CVE-2011-3041 CVE-2011-3040
CVE-2011-3039 CVE-2011-3038 CVE-2011-3037
CVE-2011-3036 CVE-2011-3035 CVE-2011-3034
CVE-2011-3032 CVE-2011-3027 CVE-2011-3021
CVE-2011-3016
Reference: ASB-2012.0101
ASB-2012.0096
ASB-2012.0079
ASB-2012.0073
ASB-2012.0064
ASB-2012.0051
ASB-2012.0045
ASB-2012.0040
ASB-2012.0033
ASB-2012.0025
ASB-2012.0019
ASB-2012.0010
ASB-2011.0114.2
ESB-2012.0705
Original Bulletin:
http://support.apple.com/kb/HT5485
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-12-1 iTunes 10.7
iTunes 10.7 is now available and addresses the following:
WebKit
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues are addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. Vazquez of spa-s3c.blogspot.com
working with iDefense VCP
CVE-2012-1521 : Skylined of the Google Chrome Security Team, Jose A.
Vazquez of spa-s3c.blogspot.com working with iDefense VCP
CVE-2012-2817 : miaubiz
CVE-2012-2818 : miaubiz
CVE-2012-2829 : miaubiz
CVE-2012-2831 : miaubiz
CVE-2012-2842 : miaubiz
CVE-2012-2843 : miaubiz
CVE-2012-3589 : Dave Mandelin of Mozilla
CVE-2012-3590 : Apple Product Security
CVE-2012-3591 : Apple Product Security
CVE-2012-3592 : Apple Product Security
CVE-2012-3593 : Apple Product Security
CVE-2012-3594 : miaubiz
CVE-2012-3595 : Martin Barbella of Google Chrome Security
CVE-2012-3596 : Skylined of the Google Chrome Security Team
CVE-2012-3597 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3598 : Apple Product Security
CVE-2012-3599 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3600 : David Levin of the Chromium development community
CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3602 : miaubiz
CVE-2012-3603 : Apple Product Security
CVE-2012-3604 : Skylined of the Google Chrome Security Team
CVE-2012-3605 : Cris Neckar of the Google Chrome Security team
CVE-2012-3606 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3607 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3608 : Skylined of the Google Chrome Security Team
CVE-2012-3609 : Skylined of the Google Chrome Security Team
CVE-2012-3610 : Skylined of the Google Chrome Security Team
CVE-2012-3611 : Apple Product Security
CVE-2012-3612 : Skylined of the Google Chrome Security Team
CVE-2012-3613 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3614 : Yong Li of Research In Motion, Inc.
CVE-2012-3615 : Stephen Chenney of the Chromium development community
CVE-2012-3616 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3617 : Apple Product Security
CVE-2012-3618 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3620 : Abhishek Arya of Google Chrome Security Team
CVE-2012-3621 : Skylined of the Google Chrome Security Team
CVE-2012-3622 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3623 : Skylined of the Google Chrome Security Team
CVE-2012-3624 : Skylined of the Google Chrome Security Team
CVE-2012-3625 : Skylined of Google Chrome Security Team
CVE-2012-3626 : Apple Product Security
CVE-2012-3627 : Skylined and Abhishek Arya of Google Chrome Security
team
CVE-2012-3628 : Apple Product Security
CVE-2012-3629 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3630 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3631 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3632 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3633 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3634 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3635 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3636 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3637 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3638 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3639 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3640 : miaubiz
CVE-2012-3641 : Slawomir Blazek
CVE-2012-3642 : miaubiz
CVE-2012-3643 : Skylined of the Google Chrome Security Team
CVE-2012-3644 : miaubiz
CVE-2012-3645 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3646 : Julien Chaffraix of the Chromium development
community, Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3647 : Skylined of the Google Chrome Security Team
CVE-2012-3648 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3649 : Dominic Cooney of Google and Martin Barbella of the
Google Chrome Security Team
CVE-2012-3651 : Abhishek Arya and Martin Barbella of the Google
Chrome Security Team
CVE-2012-3652 : Martin Barbella of Google Chrome Security Team
CVE-2012-3653 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3654 : Skylined of the Google Chrome Security Team
CVE-2012-3655 : Skylined of the Google Chrome Security Team
CVE-2012-3656 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3657 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3658 : Apple
CVE-2012-3659 : Mario Gomes of netfuzzer.blogspot.com, Abhishek Arya
of the Google Chrome Security Team using AddressSanitizer
CVE-2012-3660 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3661 : Apple Product Security
CVE-2012-3663 : Skylined of Google Chrome Security Team
CVE-2012-3664 : Thomas Sepez of the Chromium development community
CVE-2012-3665 : Martin Barbella of Google Chrome Security Team using
AddressSanitizer
CVE-2012-3666 : Apple
CVE-2012-3667 : Trevor Squires of propaneapp.com
CVE-2012-3668 : Apple Product Security
CVE-2012-3669 : Apple Product Security
CVE-2012-3670 : Abhishek Arya of Google Chrome Security Team using
AddressSanitizer, Arthur Gerkis
CVE-2012-3671 : Skylined and Martin Barbella of the Google Chrome
Security Team
CVE-2012-3672 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3673 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3674 : Skylined of Google Chrome Security Team
CVE-2012-3675 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3676 : Julien Chaffraix of the Chromium development
community
CVE-2012-3677 : Apple
CVE-2012-3678 : Apple Product Security
CVE-2012-3679 : Chris Leary of Mozilla
CVE-2012-3680 : Skylined of Google Chrome Security Team
CVE-2012-3681 : Apple
CVE-2012-3682 : Adam Barth of the Google Chrome Security Team
CVE-2012-3683 : wushi of team509 working with iDefense VCP
CVE-2012-3684 : kuzzcc
CVE-2012-3685 : Apple Product Security
CVE-2012-3686 : Robin Cao of Torch Mobile (Beijing)
CVE-2012-3687 : kuzzcc
CVE-2012-3688 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3692 : Skylined of the Google Chrome Security Team, Apple
Product Security
CVE-2012-3699 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3700 : Apple Product Security
CVE-2012-3701 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3702 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3703 : Apple Product Security
CVE-2012-3704 : Skylined of the Google Chrome Security Team
CVE-2012-3705 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3706 : Apple Product Security
CVE-2012-3707 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
CVE-2012-3708 : Apple
CVE-2012-3709 : Apple Product Security
CVE-2012-3710 : James Robinson of Google
CVE-2012-3711 : Skylined of the Google Chrome Security Team
CVE-2012-3712 : Abhishek Arya of the Google Chrome Security Team
using AddressSanitizer
iTunes 10.7 may be obtained from:
http://www.apple.com/itunes/download/
For Windows XP / Vista / Windows 7:
The download file is named: "iTunesSetup.exe"
Its SHA-1 digest is: 499c39aad4a05c76286e3159f4e1e081dab8fe86
For 64-bit Windows XP / Vista / Windows 7:
The download file is named: "iTunes64Setup.exe"
Its SHA-1 digest is: c632854371097edbf3d831f7f2d449297d9f988e
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQUMRFAAoJEPefwLHPlZEwmlsP/2mlVZEsRtFPk3k/mkYyj8gs
4j8VH6D5PNk7cR5S65L0BRM6ijmvGJ1J5WyKxdK55BtZ2gd1vGjmpruSMVptDIzF
JkRQKV8koK/kqUIGI679borf8qv9hK0eFsoO8cVfGfA3LoRB94DlKl9UGhZpQjIt
bKS2hsNvDO1EWaoVFZeJw6wxx37zp8XdIuneoNsEPgECJywfMtncQT1MDE0deP5D
79vb3ds44CpCV2ltdwni5n43sUmGalCyMLkuR8GkUUQ7hd631cSOXK1mw39w6CY+
kM8lpczoW8s116E44GeGSu5rrYgOfthJPO0yUolB/kdjoccEri802YLq84Y2FV9u
c0T2BWMjmcoCEfuhT1JW6dL8FXTQGrQz/DvQlIzkzUf3KHVuu0pfc0V4bG202c2h
zGnHNsZOY38wAFwHbISBs0BM78/G2fJeOaXil2eUu1F8ChZOw4+KqQYee9lUgM1u
FBamxVVi5bzc4qj+EraLQS0X1gehKX3Riq6SwF6L7uOw0oSHTUwrqoiJq9s6CtGd
7YdxNQAugTScCWW0dCLajg5M4lW1pudOgIU1VfTnGYvqGTMsLCRL5WtJ69anQzWv
7pi898e8Wn7Iw1y3CTkoZZZNg9yD5ZvYf7FkIqEVj8ksmGliDC/O988KVg/dWQ7F
HUcSouao5FGpzuLJSdhc
=l7aG
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUFFVeu4yVqjM2NGpAQLS1g//Z9JDWT5svKthfAf/LciT+nlihOsbpEvF
bHZawh6FbqAGPNvm+qhoqk20jkyD5vXZRl3UGLx39Hh/uATtVivuCxXP8qcr7dDY
DWj+Ufedu23AGSRUtPd9Y+e8JVCG5lqDJIh1HcIU6PuYSZzJyNIEFyFqU5oAwKVN
ZUm0id43l5C4guF42ewzIpTkRLJGRkfExhqpuLKA+HP0cgI3t2PKsXTcPF/U3DqN
aeTS51pnWt5YgKxZEyQ4bCvbRxwFjzkPAZa40kv14hdAVAv74YrFtee6KEeB1E3M
5GVb/IiBurjSTR+6dl4uzTLXA/tX1I+dMM5wHAwWr+U9LCMdcvb4zI1OUSP1J8d/
qBGXpP7G3zFdLDyGeEgXd9Lc/BXYWLdlmE1MsP5/EQ8NNC0tRZ4zMuypGldI/kF6
nFewllm2d36l/Rn9uUerRSk3msC8Bzmvlsdp7q33p9+bIjRHEUDTtmq02y2eGgeA
anChaVuq5D9xgPCfEIlUk/8Qc3mFOlwQn17n6XgV2RIAj3LhMlUSH5xPDpFg7xCx
jrHRe5ZBjShWLgx2KeIoog73dKa6M56XWdwRhw3MtsRtW+94WCu2VMb/+IXsSWmx
4scMw9Re0uIidcMp7/b0zNe86WWFLDfVgpoKu0Q4GZlZ8HGQ9i6X3IanOMe+o5Ie
M5Q46TCMiiM=
=gynv
-----END PGP SIGNATURE-----