Operating System:

[Win]

Published:

17 September 2015

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2428
                     APPLE-SA-2015-09-16-3 iTunes 12.3
                             17 September 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iTunes
Publisher:         Apple
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Privileged Data          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-5920 CVE-2015-5874 CVE-2015-5823
                   CVE-2015-5822 CVE-2015-5821 CVE-2015-5819
                   CVE-2015-5818 CVE-2015-5817 CVE-2015-5816
                   CVE-2015-5815 CVE-2015-5814 CVE-2015-5813
                   CVE-2015-5812 CVE-2015-5811 CVE-2015-5810
                   CVE-2015-5809 CVE-2015-5808 CVE-2015-5807
                   CVE-2015-5806 CVE-2015-5805 CVE-2015-5804
                   CVE-2015-5803 CVE-2015-5802 CVE-2015-5801
                   CVE-2015-5800 CVE-2015-5799 CVE-2015-5798
                   CVE-2015-5797 CVE-2015-5796 CVE-2015-5795
                   CVE-2015-5794 CVE-2015-5793 CVE-2015-5792
                   CVE-2015-5791 CVE-2015-5790 CVE-2015-5789
                   CVE-2015-5761 CVE-2015-5755 CVE-2015-3749
                   CVE-2015-3748 CVE-2015-3747 CVE-2015-3746
                   CVE-2015-3745 CVE-2015-3744 CVE-2015-3743
                   CVE-2015-3742 CVE-2015-3741 CVE-2015-3740
                   CVE-2015-3739 CVE-2015-3738 CVE-2015-3737
                   CVE-2015-3736 CVE-2015-3735 CVE-2015-3734
                   CVE-2015-3733 CVE-2015-3731 CVE-2015-3730
                   CVE-2015-3688 CVE-2015-3687 CVE-2015-3686
                   CVE-2015-1205 CVE-2015-1157 CVE-2015-1153
                   CVE-2015-1152 CVE-2014-8146 CVE-2010-3190

Reference:         ASB-2015.0011
                   ESB-2015.2114
                   ESB-2015.2113
                   ESB-2015.2112
                   ESB-2015.1247
                   ESB-2011.0414

Original Bulletin: 
   https://support.apple.com/kb/HT201222

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2015-09-16-3 iTunes 12.3

iTunes 12.3 is now available and addresses the following:

iTunes
Available for:  Windows 7 and later
Impact:  Applications that use CoreText may be vulnerable to
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in the
processing of text files. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-1157 : Apple
CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team
CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team

iTunes
Available for:  Windows 7 and later
Impact:  Applications that use ICU may be vulnerable to unexpected
application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in the
processing of unicode strings. These issues were addressed by
updating ICU to version 55.
CVE-ID
CVE-2014-8146
CVE-2015-1205

iTunes
Available for:  Windows 7 and later
Impact:  Opening a media file may lead to arbitrary code execution
Description:  A security issue existed in Microsoft Foundation
Class's handling of library loading. This issue was addressed by
updating to the latest version of the Microsoft Visual C++
Redistributable Package.
CVE-ID
CVE-2010-3190 : Stefan Kanthak

iTunes
Available for:  Windows 7 and later
Impact:  A man-in-the-middle attack while browsing the iTunes Store
via iTunes may result in unexpected application termination or
arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1152 : Apple
CVE-2015-1153 : Apple
CVE-2015-3730 : Apple
CVE-2015-3731 : Apple
CVE-2015-3733 : Apple
CVE-2015-3734 : Apple
CVE-2015-3735 : Apple
CVE-2015-3736 : Apple
CVE-2015-3737 : Apple
CVE-2015-3738 : Apple
CVE-2015-3739 : Apple
CVE-2015-3740 : Apple
CVE-2015-3741 : Apple
CVE-2015-3742 : Apple
CVE-2015-3743 : Apple
CVE-2015-3744 : Apple
CVE-2015-3745 : Apple
CVE-2015-3746 : Apple
CVE-2015-3747 : Apple
CVE-2015-3748 : Apple
CVE-2015-3749 : Apple
CVE-2015-5789 : Apple
CVE-2015-5790 : Apple
CVE-2015-5791 : Apple
CVE-2015-5792 : Apple
CVE-2015-5793 : Apple
CVE-2015-5794 : Apple
CVE-2015-5795 : Apple
CVE-2015-5796 : Apple
CVE-2015-5797 : Apple
CVE-2015-5798 : Apple
CVE-2015-5799 : Apple
CVE-2015-5800 : Apple
CVE-2015-5801 : Apple
CVE-2015-5802 : Apple
CVE-2015-5803 : Apple
CVE-2015-5804 : Apple
CVE-2015-5805
CVE-2015-5806 : Apple
CVE-2015-5807 : Apple
CVE-2015-5808 : Joe Vennix
CVE-2015-5809 : Apple
CVE-2015-5810 : Apple
CVE-2015-5811 : Apple
CVE-2015-5812 : Apple
CVE-2015-5813 : Apple
CVE-2015-5814 : Apple
CVE-2015-5815 : Apple
CVE-2015-5816 : Apple
CVE-2015-5817 : Apple
CVE-2015-5818 : Apple
CVE-2015-5819 : Apple
CVE-2015-5821 : Apple
CVE-2015-5822 : Mark S. Miller of Google
CVE-2015-5823 : Apple

Software Update
Impact:  An attacker in a privileged network position may be able to
obtain encrypted SMB credentials
Description:  A redirection issue existed in the handling of certain
network connections. This issue was addressed through improved
resource validation.
CVE-ID
CVE-2015-5920 : Cylance


iTunes 12.3 may be obtained from:
http://www.apple.com/itunes/download/

You may also update to the latest version of iTunes via Apple
Software Update, which can be found in the Start menu.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV+axbAAoJEBcWfLTuOo7tLSYP/1NCYHZeWYxqLnLgHgCcNRF/
iqZ7hq9UgxomXxoDVknvvWc61Z+UW6VIgGzEfzSlO9APIGC7ia1tdKl66oMEYSal
aGt5AJc9c55RuuvgF/IxgICRsuXjHsAmlQb5FPqwe2gSJYxggCfhObdQ/ShbP2kp
mV8sYiJJiKkYZqFDH17fvtAWV3GZ7CtXfneWDHlerJunbuUzWLpjWcYwbaiD/1C2
5CTohgHbTMtG2MGRacFXeYAXFhbnr6mXcxy+7Zee3B6x33/ypA/Q+KaIxPv4bssr
7XXzYin8bdMHlW6MWuCmyzJd2P/4opKvzNeyoZb1BM02k0Fb7SWDMwFA9UVovsX5
yCNKn0rg1nMhbXLjpob7G0GYfHNeGOy5PqKu3PXF++R4H5kGr9v2CZH+8dIU5+J7
LFyDSBZ4vlMsCYTRfI1PEUM6w3d+whrBl9vagVeJZG5gkSrZXftALjZsQXUhgqZH
mKDcSj/leCTbbbHMPq/NngQuUXzVRe+SJwVtSJEfQSg2yGCdBGTsjqftcOeDgVUL
vHR0KkZ4lVx5Aq48XFfXXvn5d3g+kP5pTeVbGdWFmf7XNDp3Vap5ATlTF5UF4EKt
jHPGMzWZwvEkdzDryynsTzrMR3TjTb7dDtXH6LEoKfOwIyxnH6+g8K1DbgdXgiJo
dL48EUi+MBq820BzP1fp
=cz5N
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVfoVF36ZAP0PgtI9AQKLuBAAhRSsitRxTtCSUkos/hPH3d3mDW/FOdVN
A3kG9AKoqIZWAEbyt9xyqRTT8aZla/jSCPjHuaE4UT+07xeeG2VI/Q9t54AWwmhA
pSjB31urE7U7E90d4P7OGZZYm4r0/F3ijvpyEcNYfWH8MtFTtm6tA+e01iGGufau
5GJhCLQkhCWVFIz06+LlqF3DAoHRNlLbZfg7NcrOuTbsSsRdYT2cZeBc6aqWnbUd
+nDhQNaCYrQwa+KNqNND3TylzOHZVUOiYT7GsIE74urNK2p+06IcNoy6YR8veuyr
wYkJDICnMsZ120Iur0/bNBPe5tgsDt0JDRBX+7fB2yDFc8o36J9/0HP9nF+WclX6
aOX9VGwvwSwLScxkJ0sQF4UibTw8lGxflZW31djI+KM5INXla98z4r9khopXmDqg
44iKrJ5EZ99bJZ31CzQpucl/csNj2+nMQyCXmKm298/V7GpCiptln7RlvLvL5Q+j
tFmmK55QJ4Zq9mOSJ1UCS0WIc7F2yo+rF1CqWtqI+GBmTKGLnJO8DdAgkW47pSyS
jpORz2cXBuyj9uE016vMjfSCa23fewwa8Eqn8JUwZIxBrdPIVzrQwkAD/S1zFjsE
y7q2wdILwtadcf2t7vVq2OV9lsWGpFwBb7n+49o6FamlsADz+lmGi6/p5WQjRLBN
v07E9RdvVg0=
=MqNn
-----END PGP SIGNATURE-----