21 September 2016
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2217 iTunes 12.5.1 for Windows 21 September 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: iTunes Publisher: Apple Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-4769 CVE-2016-4768 CVE-2016-4767 CVE-2016-4766 CVE-2016-4765 CVE-2016-4763 CVE-2016-4762 CVE-2016-4760 CVE-2016-4759 CVE-2016-4758 CVE-2016-4728 Reference: ESB-2016.2214 Original Bulletin: https://support.apple.com/en-au/HT207158 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-09-20-7 iTunes 12.5.1 for Windows The iTunes 12.5.1 for Windows advisory has been released to describe the entries below: WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A parsing issue existed in the handling of error prototypes. This was addressed through improved validation. CVE-2016-4728: Daniel Divricean Entry added September 20, 2016 WebKit Available for: Windows 7 and later Impact: Visiting a maliciously crafted website may leak sensitive data Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks. CVE-2016-4758: Masato Kinugawa of Cure53 Entry added September 20, 2016 WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2016-4759: Tongbo Luo of Palo Alto Networks CVE-2016-4762: Zheng Huang of Baidu Security Lab CVE-2016-4766: Apple CVE-2016-4767: Apple CVE-2016-4768: Anonymous working with Trend Micro's Zero Day Initiative Entry added September 20, 2016 WebKit Available for: Windows 7 and later Impact: A malicious website may be able to access non-HTTP services Description: Safari's support of HTTP/0.9 allowed cross-protocol exploitation of non-HTTP services using DNS rebinding. The issue was addressed by restricting HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version. CVE-2016-4760: Jordan Milne Entry added September 20, 2016 WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved state management. CVE-2016-4765: Apple Entry added September 20, 2016 WebKit Available for: Windows 7 and later Impact: An attacker in a privileged network position may be able to intercept and alter network traffic to applications using WKWebView with HTTPS Description: A certificate validation issue existed in the handling of WKWebView. This issue was addressed through improved validation. CVE-2016-4763: an anonymous researcher Entry added September 20, 2016 WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2016-4769: Tongbo Luo of Palo Alto Networks Entry added September 20, 2016 iTunes 12.5.1 for Windows may be obtained from: https://www.apple.com/itunes/download/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJX4YajAAoJEIOj74w0bLRGr/wQAIHNxCUBqgM8tAzB/NSHg1ya QNXaeYT93j0CfzBHfuc9oAOSBfYbV0DM9/Vtj6MbYBl+z2NjEG1tBqEGpUP4m8Pj 9rCyVTyAbpK83xO3gArEmxR6YgE7DIdlP69dX3Fn4xIC96K71anYDIkdNaseml5S +nagEtS2KFcDKrIrKFZCzyuKxyiWKqhEKBgo4WQpjsFvXTf/gZCd7wjMQgVRBxUM NczHETeWAFg3uUoIB6R7bDwAJoEP7edWvQQUSd/vHQqcqJfqf98HwJnRXsrfIUVr wcyX0HIDbwdmw87CiQyqWwZ9TDc5PRg1PRp4b+wxnerNVocYxJOE7Nwpnk9JBvEj IuG6IsM9qEWwajvS35w9tQ0YObITXo/ilFRImqg/NwoCVl3BOS1niiyZA5Kc4ghI eXTbPHRL/9sRSxGWuEpkl1PSTsKpXx0FRm2q67bG/9VQmexPdM4ghzae4ENhOSWv pc8mvLH9cp1XKAbc1Qhsk5tJSH3RHM9GFtMbeVAFMsYbVMD+tVssj4WYr8BiJg1x q+zaYpMF9mMtZONtr7KUJUuNLKKyvv4nZBm1GbZ9gz8glLQGlykmWU3dcXhxfulL hzAnk3FHVvGs6yYoJASY0WFMPLNz/7XZMS+Pm5MkTCdUJ1H6wvmUGdgchFp2bR2P tOUXttL4qy5/8JByAW2+ =Ijgf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV+H0b4x+lLeg9Ub1AQhGyQ//UNT7OpaV8Ge83TbikbCSWikd1ija9PX2 zqaMUHDGooyzbM/ce8+gsczNOk0Be8D3Qn5zTAy/2hIRqB2YmtC6fw3AJReRV3RD +wajRg1ybTArG2fcvySwq3S9WQv4Oavi1YPPt3RkpcJfrkNsU/cFPyKwXSFSDAoA Kmi5ZaluqYxSYCPzeuD5fTd5UsolTyuQAiwehxGghXrcKj5eIuEIPb/4g7xaOPV3 oTzG7B6U9LBjj02dZ6mx/ZcCJUQICP8nROg5R5eGv8aPx5S+2AAPit0jpNxCXglS Dx+kPET7tfBVqvFzQMB1YpwCsDYTUO1MtgIoQY9WWJm+dj+94joT2LdGhUKCaKLY gudtDACoGzN5oMoyg7VLLGmAKecnJUEagTogzEnlnT4eygy/LQRqibX1houACeyl B9KWHDHiqtG3WE24NiK3Q0747lTJHmGKcFGpbi0u8SduXzJHsALC9p3zak0R+f9E un+J5Rz3aFbjjmuM/3hbOfmc+A46lAo1QKF4sAGIe+7/QIjnG3DDoJBf5laNnCfw 04TVNVRubkLGb19ceuO46wPNji4z9pvssda3CWz7VrrLsJ6dZV2WXp+X1p/rep0n 5RnKcJphOKh/B+gI56XiCHQvMtyCc6vCShg1HEqIrYcTgwJkZmoXCTS0aO0/7cTk jkvF+KW6RN4= =vabl -----END PGP SIGNATURE-----