Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2963
iTunes 12.5.4
14 December 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: iTunes for Windows
Publisher: Apple
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-7656 CVE-2016-7654 CVE-2016-7652
CVE-2016-7649 CVE-2016-7648 CVE-2016-7646
CVE-2016-7645 CVE-2016-7642 CVE-2016-7641
CVE-2016-7640 CVE-2016-7639 CVE-2016-7635
CVE-2016-7632 CVE-2016-7611 CVE-2016-7610
CVE-2016-7599 CVE-2016-7598 CVE-2016-7592
CVE-2016-7589 CVE-2016-7587 CVE-2016-7586
CVE-2016-4743 CVE-2016-4692
Original Bulletin:
https://support.apple.com/en-au/HT207427
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2016-12-13-3 iTunes 12.5.4
iTunes 12.5.4 is now available and addresses the following:
WebKit
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4692: Apple
CVE-2016-7635: Apple
CVE-2016-7652: Apple
WebKit
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4743: Alan Cutter
WebKit
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: A validation issue was addressed through improved state
management.
CVE-2016-7586: Boris Zbarsky
WebKit
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved state management.
CVE-2016-7587: Adam Klein
CVE-2016-7610: Zheng Huang of the Baidu Security Lab working with
Trend Micro's Zero Day Initiative
CVE-2016-7611: an anonymous researcher working with Trend Micro's
Zero Day Initiative
CVE-2016-7639: Tongbo Luo of Palo Alto Networks
CVE-2016-7640: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7641: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7642: Tongbo Luo of Palo Alto Networks
CVE-2016-7645: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7646: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7648: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7649: Kai Kang of Tencent's Xuanwu Lab
(tencent.com)
CVE-2016-7654: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7589: Apple
CVE-2016-7656: Keen Lab working with Trend Micro's Zero Day
Initiative
WebKit
Impact: Processing maliciously crafted web content may compromise
user information
Description: An issue existed in handling of JavaScript prompts. This
was addressed through improved state management.
CVE-2016-7592: xisigr of Tencent's Xuanwu Lab
(tencent.com)
WebKit
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An uninitialized memory access issue was addressed
through improved memory initialization.
CVE-2016-7598: Samuel GroÃ\x{159}
WebKit
Impact: Processing maliciously crafted web content may result in the
disclosure of user information
Description: An issue existed in the handling of HTTP redirects. This
issue was addressed through improved cross origin validation.
CVE-2016-7599: Muneaki Nishimura (nishimunea) of Recruit Technologies
Co., Ltd.
WebKit
Impact: Processing maliciously crafted web content may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-7632: Jeonghoon Shin
iTunes 12.5.4 may be obtained from:
https://www.apple.com/itunes/download/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJYT7LLAAoJEIOj74w0bLRG7KQP/3ol4XeUpdU5D9Ev+/p6eYbf
OBS7QvFlgmhsEyckdqKThOs+/eBRM7zrYyVijvusZBJRBOS9NxnFMEPBXd2xWvXo
VXO0qgvY9w6mXuriPyr2NbSYChXWLsAxQkNck2S0OsgOB+v3JK9D8og5ZSWOoCJm
Z0NFMhjIzG/WsJa2vf2YA/sB5fy4WTUxwC8B/HCLQIW0FhgyKfUtNpLtBE+kWbYH
y59rdqVbSovLcwtyPnyBj0cbLLv7Rj+s6IulJwejeXc+cmz9wpvky/6YdTFE+6oV
2Ma9hgifA++Pn0WOXEcq6+1/oje/lltfjv+PP1JZI6r465r5lensemPMYKS8XM0q
yoXRWVfU2pEg90UYPWQnoKyfqLvQyh88SQWw+YnQ1AGviO1EgjR8NkCWhznZBDBT
d4Gz+/iVgHxblf9li3qtkyFfPtaOdvUGrVckoHTzJS4C3PX/bNZPzS+0W9TAwfC9
VT7vEzmTSiWYzRhpr4IwcPEGWhOXyEXl8ta9/4m4oBocCKvVKrETaXlGXmAfQd7b
dkkGgQXWZUEeLqfslfdKyCFFjjLQbwwKRmcxRdG/gcuZeMDjFyEartsuRtoE5XfD
spTLHM3llAHgilVr65B70zIRiClYmM3G2/IF1A+L+ul0VUs6ylRP8s9rOSxPAiym
tNxo4hsdtJCmEBLjUcER
=zB0I
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWFDc8Yx+lLeg9Ub1AQgvQxAAqxX0WqHbzFK/phL3bhOQqfrgpcAra8BC
T618adXBsuqIyM5ptVBNfy7bhSjBViU591C29iujbI3LOTUIELGyj/BEHPpwpgD9
LLgCKro6SIf7zAbusGaY2AlRoj/vlIXaADKzojfM0lw59T8We2GqGR1nJ/wn20Gi
uungmJPTLTJynb+1Dzg2F97Je2OAR9Sh6+WS54U7ef2Yv/pnxlzUPX6FbfHyXM7O
eqq3zod6E3e6mfLvPqLiVCOYOtgtJnnx1Ca+zUd2r/S3p8Vz7be2ZIGahANi0EqT
YQ1SbGd9AmxZ07lDmEfmMFK8n1C5AeHEzKFtofAkRpHgpldxsprTCVPgmU6XvTeO
nNnf4+XdlTMqRZaJ7wp47nxKP/9qbybOTzG+KWnEzE8jWbFCMmspPcrC9uEkQIMV
iuEbersNUrQ85J4LM64ez/cNTw96iTqHk7z69WazBBwqKkbjrXRdU30LG2PY23+W
/4yky+StlIvQpUGiMekBpqqBT6BDx/Lur1OohoF4dq4IFlgKkjFklHLP354yN5dW
qeJC2CyYEXxOg065z66j6z0pF3C+sk48PgHIrVdFF8NBlgkqNYvKENj8LG4vcyvV
UcEarwtcWnhrtC6lPlDfi5Qx2O8QW6IxDgB82maobwWu471OL2lKykcHdrP9XvAZ
c+GY4Th1TOU=
=80vh
-----END PGP SIGNATURE-----