KLA10076 Multiple vulnerabilities in Apple iTunes

Multiple critical vulnerabilities have been found in Apple iTunes. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code or spoof HTTPS servers. Below is a complete list of vulnerabilities

1. Vectors related to browsing the iTunes Store can be exploited remotely by man-in-the-middle attacks;
2. Improper certificate verification can be exploited remotely by man-in-the-middle attacks.

Original advisories

Apple bulletin

Related products

Apple-iTunes

CVE list

CVE-2013-0992 high

CVE-2013-0999 critical

CVE-2013-0993 high

CVE-2013-1014 warning

CVE-2013-1006 critical

CVE-2013-0991 high

CVE-2013-1001 critical

CVE-2013-0997 high

CVE-2013-1003 critical

CVE-2013-1008 critical

CVE-2013-0996 high

CVE-2013-0998 high

CVE-2013-0995 high

CVE-2013-1002 critical

CVE-2013-0994 high

CVE-2013-1005 critical

CVE-2013-1004 critical

CVE-2013-1010 critical

CVE-2013-1011 high

CVE-2013-1007 critical

CVE-2013-1000 critical

Solution

Update to latest version

iTunew

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Apple iTunes versions 11.0.2 and earlier