Apple has released iTunes 11.0.3 for OS X and Windows today.
This update fixes a certificate validation issue for both Mac and Windows. If this vulnerability were exploited an attacker would be able to spoof an SSL certificate without a warning being presented, allowing the attacker to potentially execute arbitrary code.
They also fixed 40 other vulnerabilities in the Windows version of iTunes, which sounds really terrible (and might be), until you consider why.
iTunes renders a lot of HTML and Mac users already have the WebKit-based browser, Safari, installed on their Macs.
The Windows version of iTunes cannot rely on the Safari version of WebKit being present (thank God Apple doesn’t require Safari to be installed), so Apple includes the needed libraries inside of the iTunes for Windows package.
What is unclear is why Apple has waited for so long to release these fixes for Windows users of iTunes. Let’s take a look at the history of the oldest vulnerability fixed, CVE-2012-2824.
CVE-2012-2824 is a “use after free” vulnerability in the SVG parsing code in WebKit. It has a CVSS severity score of 10, is considered easy to remotely exploit and could result in remote code execution (RCE).
It was first reported on 27 April 2012 by miaubiz and was fixed in Google Chrome’s implementation of WebKit on 26 June 2012, about 2 months from initially being reported.
Apple’s first attempt at fixing this flaw was in iOS 6.0.1 and Safari 6.0.2 on 1 November 2012, approximately six months after being reported.
It is on of the vulnerabilities bundled into today’s iTunes 11.0.3 update more than one year after disclosure.
Another vulnerability of note fixed in today’s Windows version of iTunes is CVE-2012-5112, or as it is better known the Pinkie Pie vulnerability from Google’s Pwnium 2 contest at the Hack in the Box 2012 conference.
In combination with another flaw this bug won Pinkie Pie $60,000 USD and a Chromebook courtesy of Google.
While I do question the amount of time Apple needed to fix these bugs, that isn’t the point of this post.
The point is you should update iTunes now, especially if you are a Windows user who needs it to manage your music, movies, TV shows, iPad or iPod.
The latest version of iTunes for Windows or OS X is always available at http://www.apple.com/itunes/download/.
13 comments on “Apple fixes 41 iTunes security flaws, some more than a year old”
Is there any internal updater that can be used? I just opened my itunes and cannot find anything to indicate which version I am running nor any function to check for updates?
If you are using a Mac, you can use the Software Update feature to update iTunes. The following 2 links describe how to do this:
For Windows, you can follow these steps:
Windows XP, Windows Vista and Windows 7:
Press the Start button and choose All Programs, near the top of the list should be Apple Software Update. When you click on this it will display a list of any updates available. iTunes 11.0.3 should be listed here.
For Windows 8:
Press the Windows Key (between the Ctrl and Alt keys in the lower left corner of your keyboard), type the words “apple software” (without the quotes) you should see an icon for Apple Software Update appear on the left side of your screen. Left click this and a list of available updates should be displayed when the program opens.
If you have any issues installing this update on Windows, you may need to choose the "Download Only" option from the Tools menu of Apple Software Update and then manually run the iTunes.msi file that is automatically displayed once the download is completed.
I hope this helps. Thank you.
Thank you, for explaining that, it also helped me.
@tom: All Macs include Software Update, available under the Apple menu. On Windows, the ‘Apple Updater’ is installed with an Apple software. It is available under the list of installed applications. You won’t find any update service within iTunes itself.
They insist on bundling “bonjour” with their program and I’m sick and tired of it. It should be opt-in not opt-out via removal via add/remove programs.
Bonjour is an important aspect of iTunes: required for local sharing, home sharing, etc. Given that it's an IEEE standard, low to zero overhead, immensely useful protocol not just for iTunes but for configuring printers, scanners, access points etc. I'd have to ask just what is your issue with it? Apple could just bundle the iTunes specific parts into the app and give you a substandard experience, but they don't.
Menu Bar (top left) iTunes->Check For Updates
Ironically the check for updates is one of the vulnerable ssl connections
Hi tom, opening itunes clicking Help | About iTunes should report:
Thanks for the heads up on this update Chester. Apple have been slow lately to update their list of security advisories on their website:
It will probably take a few days until this iTunes update is mentioned at that link.
Start Menu > Programs > Apple Software Updates
You should have Apple Software Update already installed on your computer (if you have ever downloaded/installed iTunes, Safari, or QuickTime. Open that up and it will run and say, "X items have updates available" and then you can download and install them.
I wish it was possible to get security updates without upgrading iTunes altogether. I hate how they redesigned 11 so I went back to 10.
I'm on a mid-2010 MBP running OSX 10.7.5
I specifically don't want to upgrade my iTunes to 11 because I prefer 10's look.
Am I really missing out on any key security updates?