APPLE-SA-2013-12-16-2

APPLE-SA-2013-12-16-1

https://support.apple.com/kb/HT6537

The version of Apple iTunes on the remote host is prior to version 12.0.1. It is, therefore, affected by multiple vulnerabilities related to the included version of WebKit. The errors could lead to application crashes or arbitrary code execution.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apple iTunes installed on the remote Windows host is prior to 12.0.1. It is, therefore, affected by multiple vulnerabilities due to the included version of WebKit. The errors could lead to application crashes or arbitrary code execution.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Versions of iTunes earlier than 12.0.1 are missing updates that patch memory corruption vulnerabilities within WebKit, as well as a patch that fixes a man-in-the-middle vulnerability that affects encrypted connections to the iTunes Store via iTunes. The most severe of these vulnerabilites can result in arbitrary remote code execution or unexpected application termination.

The remote host has Safari installed. Versions of Safari earlier than 6.1.1 or 7.0.1 are reportedly affected by the following vulnerabilities :

  - A use-after-free error exists related to 'inline-block' rendering. (CVE-2013-2909)
 - Multiple, unspecified memory corruption vulnerabilities exist in WebKit that could lead to unexpected program termination or arbitrary code execution. (CVE-2013-5195, CVE-2013-5196, CVE-2013-5197, CVE-2013-5198, CVE-2013-5199, CVE-2013-5225, CVE-2013-5228)
 - Multiple information disclosure vulnerabilities exist due to an origin-validation error in which user information is auto-filled into a sub-frame from a different domain. (CVE-2013-5227)

The version of Apple Safari installed on the remote Mac OS X host is prior to 6.1.1 or 7.0.1. It is, therefore, potentially affected by several issues :

  - A use-after-free error exists related to 'inline-block'     rendering. (CVE-2013-2909)

  - Multiple, unspecified memory corruption vulnerabilities     exist in WebKit that could lead to unexpected program     termination or arbitrary code execution. (CVE-2013-5195,     CVE-2013-5196, CVE-2013-5197, CVE-2013-5198,     CVE-2013-5199, CVE-2013-5225, CVE-2013-5228)

  - Multiple information disclosure vulnerabilities exist     due to an origin-validation error in which user     information is auto-filled into a sub-frame from a     different domain. (CVE-2013-5227)

ID	Name	Product	Family	Severity
78598	Apple iTunes < 12.0.1 Multiple Vulnerabilities (uncredentialed check)	Nessus	Peer-To-Peer File Sharing	critical
78597	Apple iTunes < 12.0.1 Multiple Vulnerabilities (credentialed check)	Nessus	Windows	critical
8561	iTunes < 12.0.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	critical
8083	Safari < 6.1.1 / 7.0.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
71498	Mac OS X : Apple Safari < 6.1.1 / 7.0.1 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high

CVE-2013-5195

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

medium

high