iTunes < 11.1.2 Multiple Vulnerabilities (uncredentialed check)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote host contains an application with multiple vulnerabilities.

Description :

The version of iTunes installed on the remote Windows host is older
than 11.1.2. It is, therefore, potentially affected by several issues :

- An uninitialized memory access issue exists in the
handling of text tracks, which could lead to memory
corruption and possibly arbitrary code execution.
(CVE-2013-1024)

- The included versions of WebKit, libxml, and libxslt
contain several errors that could lead to memory
corruption and possibly arbitrary code execution. The
vendor notes that one possible attack vector is a
man-in-the-middle attack while the application browses
the 'iTunes Store'.
(CVE-2011-3102, CVE-2012-0841, CVE-2012-2807,
CVE-2012-2825, CVE-2012-2870, CVE-2012-2871,
CVE-2012-5134, CVE-2013-1037, CVE-2013-1038,
CVE-2013-1039, CVE-2013-1040, CVE-2013-1041,
CVE-2013-1042, CVE-2013-1043, CVE-2013-1044,
CVE-2013-1045, CVE-2013-1046, CVE-2013-1047,
CVE-2013-2842, CVE-2013-5125, CVE-2013-5126,
CVE-2013-5127, CVE-2013-5128)

See also :

http://support.apple.com/kb/HT6001
http://lists.apple.com/archives/security-announce/2013/Oct/msg00009.html

Solution :

Upgrade to iTunes 11.1.2 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false