Apple fixes 41 iTunes security flaws, some more than a year old

iTunes-11-170Apple has released iTunes 11.0.3 for OS X and Windows today.

This update fixes a certificate validation issue for both Mac and Windows. If this vulnerability were exploited an attacker would be able to spoof an SSL certificate without a warning being presented, allowing the attacker to potentially execute arbitrary code.

They also fixed 40 other vulnerabilities in the Windows version of iTunes, which sounds really terrible (and might be), until you consider why.

iTunes renders a lot of HTML and Mac users already have the WebKit-based browser, Safari, installed on their Macs.

The Windows version of iTunes cannot rely on the Safari version of WebKit being present (thank God Apple doesn’t require Safari to be installed), so Apple includes the needed libraries inside of the iTunes for Windows package.

What is unclear is why Apple has waited for so long to release these fixes for Windows users of iTunes. Let’s take a look at the history of the oldest vulnerability fixed, CVE-2012-2824.

Webkit_Logo170CVE-2012-2824 is a “use after free” vulnerability in the SVG parsing code in WebKit. It has a CVSS severity score of 10, is considered easy to remotely exploit and could result in remote code execution (RCE).

It was first reported on 27 April 2012 by miaubiz and was fixed in Google Chrome’s implementation of WebKit on 26 June 2012, about 2 months from initially being reported.

Apple’s first attempt at fixing this flaw was in iOS 6.0.1 and Safari 6.0.2 on 1 November 2012, approximately six months after being reported.

It is on of the vulnerabilities bundled into today’s iTunes 11.0.3 update more than one year after disclosure.

Another vulnerability of note fixed in today’s Windows version of iTunes is CVE-2012-5112, or as it is better known the Pinkie Pie vulnerability from Google’s Pwnium 2 contest at the Hack in the Box 2012 conference.

In combination with another flaw this bug won Pinkie Pie $60,000 USD and a Chromebook courtesy of Google.

While I do question the amount of time Apple needed to fix these bugs, that isn’t the point of this post.

The point is you should update iTunes now, especially if you are a Windows user who needs it to manage your music, movies, TV shows, iPad or iPod.

The latest version of iTunes for Windows or OS X is always available at