Apple addresses numerous flaws in iTunes application for desktop computers
iTunes 11.0.3 is the latest version of Apple’s media player & digital distribution storefront for Macs and Windows computers. In addition to a few UI tweaks and several added features, the update comes with under-the-hood fixes that strengthen its security.Apple confirms in a security advisory on its Support site that iTunes 11.0.3 contains dozens of patches for some recently found vulnerabilities.
Affecting Mac OS X v10.6.8 or later, Windows 7, Vista, and XP SP2 or later, a certificate validation issue exists in older versions of iTunes.
In certain contexts, this would allow an active network attacker to present untrusted certificates to iTunes “and they would be accepted without warning,” the advisory states.
“An attacker in a privileged network position may manipulate HTTPS server certificates, leading to the disclosure of sensitive information,” reads a summary of the bug.
By improving certificate validation, Apple easily cleansed iTunes of this flaw.
The Mac maker credits Christopher of ThinkSECURE Pte Ltd., and Christopher Hickstein of University of Minnesota for finding and reporting the flaw.
Targeting Windows platforms only, three dozen other flaws affecting the WebKit component of iTunes (the heart and soul of the software) have been discovered and patched.
Affecting iTunes installations on Windows 7, Vista, and XP SP2 or later, multiple memory corruption issues existed in WebKit which would permit a man-in-the-middle attack while browsing the iTunes Store, leading to an unexpected application termination or arbitrary code execution.
“These issues were addressed through improved memory handling,” Apple notes, crediting a sea of security researchers for discovering and reporting the bugs.
iTunes 11.0.3 is available as a free download for both Mac and Windows users. Use the links below to grab your respective version of the software.
Download iTunes for Mac OS X (Free)
Download iTunes for Windows (Free)