14 DAY TRIAL // While Flash doesn’t seem much of a priority at Apple, the company’s proprietary digital media player application certainly is, even on the Windows side. According to a Support document entitled “About the security content of iTunes 9.2,” Apple has patched a total of 40 vulnerabilities. Most of these holes are already patched in the Safari 5.0 update, but at least two of them are resolved only by downloading the latest version of iTunes 9.2 for Windows, the support document indicates.
Although Apple’s advisory suggests that the vulnerabilities affect only Windows PC users, many of the WebKit bugs addressed in this release were also listed as being patched in Safari 5 for Mac and Windows. The majority of these vulnerabilities were found in the WebKit HTML engine, which does not only power Apple’s web browser, but it also provides some of the basic functions in iTunes.
Apple lists these issues as affecting only Windows 7, Vista, and XP SP2 or later, although it does note that, “WebKit is updated to the version included in Safari 5.0 and Safari 4.1 to address several vulnerabilities.” Most of the bugs documented by Apple are known as critical, meaning they could result in remote code execution. A link to a document detailing the security content of Safari 5.0 and Safari 4.1 is then provided.
Two vulnerabilities are separately detailed by the Mac maker, one of which was found in ColorSync. Affecting Windows 7, Vista, and XP SP2 or later, “A heap buffer overflow exists in the handling of images with an embedded ColorSync profile,” Cupertino’s electronics giant reveals. “Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of ColorSync profiles,” Apple explains, and credits staffers from Google’s Security Team for finding and reporting this critical bug.
ImageIO is also affected on Windows 7, Vista, or XP SP2 running an older version of iTunes. According to Apple, “Multiple integer overflows in the handling of TIFF files may result in a heap buffer overflow. Opening a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution.” As soon as Kevin Finisterre of digitalmunition.com reported these issues, Apple was able to patch them through improved bounds checking, the document reveals. Softpedia readers can download the latest versions of iTunes for Mac and Windows using the links below.