| VID |
50052 |
| Severity |
40 |
| Port |
3689 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The remote version of iTunes is older than 11.0.3. As such, it is potentially affected by several issues :
- An error exists related to certificate validation that could allow disclosure of sensitive information and could allow the application to trust data from untrusted sources. Note this issue affects the application regardless of operating system. (CVE-2013-1014)
- The included version of WebKit contains several errors that could lead to memory corruption and possibly arbitrary code execution. The vendor notes one possible attack vector is a man-in-the-middle attack while the application browses the 'iTunes Store'. Please note these issues only affect the application when running on Windows.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts
* References:
http://www.zerodayinitiative.com/advisories/ZDI-13-107/
http://www.zerodayinitiative.com/advisories/ZDI-13-108/
http://www.zerodayinitiative.com/advisories/ZDI-13-109/
http://support.apple.com/kb/HT5766
http://lists.apple.com/archives/security-announce/2013/May/msg00000.html
http://www.securityfocus.com/archive/1/526623/30/0/threaded
* Platforms Affected:
Apple Computer, Inc., iTunes versions prior to 11.0.3 |
| Recommendation |
Upgrade to the latest version of iTunes (11.0.3 or later), available from the Apple Download Web site at http://www.apple.com/itunes/download/ |
| Related URL |
CVE-2012-2824,CVE-2012-2857,CVE-2012-3748,CVE-2012-5112,CVE-2013-0879,CVE-2013-0912,CVE-2013-0948,CVE-2013-0949,CVE-2013-0950,CVE-2013-0951 (CVE) |
| Related URL |
54203,54749,55867,56362,57576,57580,57581,57582,57584,57585 (SecurityFocus) |
| Related URL |
(ISS) |
|
