iTunes < 11.1.4 Multiple Vulnerabilities (uncredentialed check)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote host contains an application with potentially multiple
vulnerabilities.

Description :

The version of iTunes installed on the remote host is older than
11.1.4. It is, therefore, potentially affected by several issues :

- The included versions of WebKit, libxml, and libxslt
contain several errors that could lead to memory
corruption and possibly arbitrary code execution. The
vendor notes that one possible attack vector is a
man-in-the-middle attack while the application browses
the iTunes Store. Note that these issues affect only
installs on Windows. (CVE-2011-3102, CVE-2012-0841,
CVE-2012-2807, CVE-2012-2825, CVE-2012-2870,
CVE-2012-2871, CVE-2012-5134, CVE-2013-1037,
CVE-2013-1038, CVE-2013-1039, CVE-2013-1040,
CVE-2013-1041, CVE-2013-1042, CVE-2013-1043,
CVE-2013-1044, CVE-2013-1045, CVE-2013-1046,
CVE-2013-1047, CVE-2013-2842, CVE-2013-5125,
CVE-2013-5126, CVE-2013-5127, CVE-2013-5128)

- An error exists related to text tracks in movie files
that could allow denial of service or arbitrary code
execution. Note that this issue affects only installs
on Windows. (CVE-2013-1024)

- An error exists related to the iTunes Tutorials window
that could allow an attacker in a privileged network
location to inject content. Note that this issue
affects only installs on Mac OS X. (CVE-2014-1242)

See also :

http://support.apple.com/kb/HT6001
http://www.securityfocus.com/archive/1/530870/30/0/threaded

Solution :

Upgrade to iTunes 11.1.4 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false