-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2217
                         iTunes 12.5.1 for Windows
                             21 September 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           iTunes
Publisher:         Apple
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
                   Unauthorised Access             -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-4769 CVE-2016-4768 CVE-2016-4767
                   CVE-2016-4766 CVE-2016-4765 CVE-2016-4763
                   CVE-2016-4762 CVE-2016-4760 CVE-2016-4759
                   CVE-2016-4758 CVE-2016-4728 

Reference:         ESB-2016.2214

Original Bulletin: 
   https://support.apple.com/en-au/HT207158

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2016-09-20-7 iTunes 12.5.1 for Windows

The iTunes 12.5.1 for Windows advisory has been released to describe
the entries below:

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A parsing issue existed in the handling of error
prototypes. This was addressed through improved validation.
CVE-2016-4728: Daniel Divricean
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: Visiting a maliciously crafted website may leak sensitive
data
Description: A permissions issue existed in the handling of the
location variable. This was addressed though additional ownership
checks.
CVE-2016-4758: Masato Kinugawa of Cure53
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4759: Tongbo Luo of Palo Alto Networks
CVE-2016-4762: Zheng Huang of Baidu Security Lab
CVE-2016-4766: Apple
CVE-2016-4767: Apple
CVE-2016-4768: Anonymous working with Trend Micro's Zero Day
Initiative
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: A malicious website may be able to access non-HTTP services
Description: Safari's support of HTTP/0.9 allowed cross-protocol
exploitation of non-HTTP services using DNS rebinding. The issue was
addressed by restricting HTTP/0.9 responses to default ports and
canceling resource loads if the document was loaded with a different
HTTP protocol version.
CVE-2016-4760: Jordan Milne
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-4765: Apple
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: An attacker in a privileged network position may be able to
intercept and alter network traffic to applications using WKWebView
with HTTPS
Description: A certificate validation issue existed in the handling
of WKWebView. This issue was addressed through improved validation.
CVE-2016-4763: an anonymous researcher
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4769: Tongbo Luo of Palo Alto Networks
Entry added September 20, 2016

iTunes 12.5.1 for Windows may be obtained from:
https://www.apple.com/itunes/download/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJX4YajAAoJEIOj74w0bLRGr/wQAIHNxCUBqgM8tAzB/NSHg1ya
QNXaeYT93j0CfzBHfuc9oAOSBfYbV0DM9/Vtj6MbYBl+z2NjEG1tBqEGpUP4m8Pj
9rCyVTyAbpK83xO3gArEmxR6YgE7DIdlP69dX3Fn4xIC96K71anYDIkdNaseml5S
+nagEtS2KFcDKrIrKFZCzyuKxyiWKqhEKBgo4WQpjsFvXTf/gZCd7wjMQgVRBxUM
NczHETeWAFg3uUoIB6R7bDwAJoEP7edWvQQUSd/vHQqcqJfqf98HwJnRXsrfIUVr
wcyX0HIDbwdmw87CiQyqWwZ9TDc5PRg1PRp4b+wxnerNVocYxJOE7Nwpnk9JBvEj
IuG6IsM9qEWwajvS35w9tQ0YObITXo/ilFRImqg/NwoCVl3BOS1niiyZA5Kc4ghI
eXTbPHRL/9sRSxGWuEpkl1PSTsKpXx0FRm2q67bG/9VQmexPdM4ghzae4ENhOSWv
pc8mvLH9cp1XKAbc1Qhsk5tJSH3RHM9GFtMbeVAFMsYbVMD+tVssj4WYr8BiJg1x
q+zaYpMF9mMtZONtr7KUJUuNLKKyvv4nZBm1GbZ9gz8glLQGlykmWU3dcXhxfulL
hzAnk3FHVvGs6yYoJASY0WFMPLNz/7XZMS+Pm5MkTCdUJ1H6wvmUGdgchFp2bR2P
tOUXttL4qy5/8JByAW2+
=Ijgf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV+H0b4x+lLeg9Ub1AQhGyQ//UNT7OpaV8Ge83TbikbCSWikd1ija9PX2
zqaMUHDGooyzbM/ce8+gsczNOk0Be8D3Qn5zTAy/2hIRqB2YmtC6fw3AJReRV3RD
+wajRg1ybTArG2fcvySwq3S9WQv4Oavi1YPPt3RkpcJfrkNsU/cFPyKwXSFSDAoA
Kmi5ZaluqYxSYCPzeuD5fTd5UsolTyuQAiwehxGghXrcKj5eIuEIPb/4g7xaOPV3
oTzG7B6U9LBjj02dZ6mx/ZcCJUQICP8nROg5R5eGv8aPx5S+2AAPit0jpNxCXglS
Dx+kPET7tfBVqvFzQMB1YpwCsDYTUO1MtgIoQY9WWJm+dj+94joT2LdGhUKCaKLY
gudtDACoGzN5oMoyg7VLLGmAKecnJUEagTogzEnlnT4eygy/LQRqibX1houACeyl
B9KWHDHiqtG3WE24NiK3Q0747lTJHmGKcFGpbi0u8SduXzJHsALC9p3zak0R+f9E
un+J5Rz3aFbjjmuM/3hbOfmc+A46lAo1QKF4sAGIe+7/QIjnG3DDoJBf5laNnCfw
04TVNVRubkLGb19ceuO46wPNji4z9pvssda3CWz7VrrLsJ6dZV2WXp+X1p/rep0n
5RnKcJphOKh/B+gI56XiCHQvMtyCc6vCShg1HEqIrYcTgwJkZmoXCTS0aO0/7cTk
jkvF+KW6RN4=
=vabl
-----END PGP SIGNATURE-----