Multiple vulnerabilities in Apple iTunes

Published: 2018-07-11 15:35:52 | Updated: 2018-07-11
Severity High
Patch available YES
Number of vulnerabilities 14
CVE ID CVE-2018-4293
CVE-2018-4270
CVE-2018-4278
CVE-2018-4284
CVE-2018-4266
CVE-2018-4271
CVE-2018-4273
CVE-2018-4261
CVE-2018-4262
CVE-2018-4263
CVE-2018-4264
CVE-2018-4265
CVE-2018-4267
CVE-2018-4272
CVSSv3 4.6 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
5.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CWE ID CWE-264
CWE-119
CWE-362
Exploitation vector Network
Public exploit N/A
Vulnerable software iTunes
Vulnerable software versions iTunes 12.7.5
iTunes 12.7.2
iTunes 12.7.1
iTunes 12.7
Vendor URL Apple Inc.

Security Advisory

1) Security restrictions bypass

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to an error in cookie management. A local attacker can run a specially crafted application and cause cookies unexpectedly persist in Safari.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

2) Memory corruption

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

3) Security restrictions bypass

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper audio taint tracking. A remote attacker can trick the victim into visiting a specially crafted website, bypass security restrictions and exfiltrate audio data cross-origin.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

4) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

5) Race condition

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to race condition when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website and cause the service to crash.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

6) Memory corruption

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

7) Memory corruption

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

8) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

9) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

10) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

11) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

12) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

13) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

14) Memory corruption

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.

Remediation

Update to version 12.8.

External links

https://support.apple.com/en-us/HT208933

Back to List