KLA11343 Multiple vulnerabilities in Apple iTunes

Multiple serious vulnerabilities were found in Apple iTunes. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, cause denial of service and perform cross-site scripting attack.

Below is a complete list of vulnerabilities:

1. A memory corruption vulnerability in ICU can be exploited remotely to cause denial of service and possibly to execute arbitrary code;
2. Multiple vulnerabilities in Safari Reader feature can be exploited remotely to perform cross-site scripting attack;
3. A resource exhaustion vulnerability in WebKit can be exploited remotely to cause denial of service;
4. Multiple memory corruption vulnerabilities in WebKit can be exploited remotely via malicious website to execute arbitrary code.

Original advisories

About the security content of iTunes 12.9.1

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Apple-iTunes

CVE list

CVE-2018-4398 critical

CVE-2018-4394 critical

CVE-2018-4374 high

CVE-2018-4377 high

CVE-2018-4409 high

CVE-2018-4378 critical

CVE-2018-4372 critical

CVE-2018-4373 critical

CVE-2018-4375 critical

CVE-2018-4376 critical

CVE-2018-4382 critical

CVE-2018-4386 critical

CVE-2018-4392 critical

CVE-2018-4416 critical

Solution

Update to the latest version

Download iTunes

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Affected Products

• Apple iTunes earlier than 12.9.1