Thursday, May 16, 2013

Apple iTunes 11.0.3 Released
With One Security Patch For Mac

Moments like this make me glad I have a Mac.

Apple released iTunes version 11.0.3 today. It contains one security patch. The link to the Security Announcement is below, as well as Apple's description of the security patch.

iTunes 11.0.3 was released for BOTH Windows and Mac. The Windows version includes a huge slew of CVE patches. I'm not going to list them! I don't have to! This is a Mac-only blog. Hee hee! Ha ha. But I will tell you that, according to my count, there are 39 CVE patches in the Windows version, including the cross platform patch below. The majority of those CVE vulnerabilities were discovered by the Google Chrome Security Team. Most impressive. Unfortunately, all of the Windows specific CVE issues are in the Windows version of WebKit, Apple's sponsored open source project for web browsers. Also unfortunate, Google will no longer be contributing to the WebKit project, which means the Google Chrome Security Team will no longer be vetting WebKit for vulnerabilities.

I wish it were not so.
I'm sorry to see them go.

About the security content of iTunes 11.0.3

CVE-2013-1014 :
Impact: An attacker in a privileged network position may manipulate HTTPS server certificates, leading to the disclosure of sensitive information

Description: A certificate validation issue existed in iTunes. In certain contexts, an active network attacker could present untrusted certificates to iTunes and they would be accepted without warning. This issue was resolved by improved certificate validation.


1 comment: