#VU1096 Remote code execution in iTunes - CVE-2016-7578

Cybersecurity Help s.r.o.

Published: 2016-10-31

Vulnerability identifier: #VU1096

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-7578

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
iTunes
Client/Desktop applications / Multimedia software

Vendor: Apple Inc.

Description
The vulnerability allows a remote unauthenticated user to execute arbitrary code on the target system.
The weakness is due to input validation flaw. By persuading the victim to load a specially crafted web content, a remote attacker can trigger a memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation
Update to version 12.5.2.

Vulnerable software versions

iTunes: 7.3.2 - 12.5.2

External links
https://support.apple.com/en-us/HT207274

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Remote code execution in Apple iTunes