Apple iTunes < 12.4 DLL Injection Arbitrary Code Execution (uncredentialed check)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote host is running an application that is affected by a DLL
injection vulnerability.

Description :

The version of Apple iTunes running on the remote Windows host is
prior to 12.4. It is, therefore, affected by a DLL (Dynamic Link
Library) injection vulnerability in the setup component that is
triggered when running the installer from an untrusted directory. An
attacker can exploit this vulnerability by placing a specially crafted
DLL file in the untrusted directory, resulting in the execution of
arbitrary code in the context of the current user.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.

See also :

https://support.apple.com/en-us/HT206379
http://www.nessus.org/u?7c25c376

Solution :

Upgrade to Apple iTunes version 12.4 or later.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.3
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Peer-To-Peer File Sharing

Nessus Plugin ID: 91348 ()

Bugtraq ID:

CVE ID: CVE-2016-1742

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now