=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN716
_____________________________________________________________________

DATE                      : 17/11/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows running iTunes 6.

======================================================================

APPLE-SA-2005-11-15 iTunes 6 for Windows

CVE-ID: CVE-2005-2938

Available for: Microsoft Windows XP and Microsoft Windows 2000

Impact: iTunes 5 for Windows may launch the wrong helper program

Description: Due to the way iTunes 5 for Windows launches its helper
application, multiple system paths are searched to determine which
program to run. This may allow a malicious user on the local system
to create an environment where an alternate program will be executed
by iTunes.  This has already been addressed in the iTunes 6 release
for Windows, available from:
http://www.apple.com/itunes/download/

This advisory is being released at this time to coordinate with other
vendors whose products were also affected by their implementation of
the helper application launch mechanism.  Credit to iDEFENSE for
reporting this issue.

iTunes 6 for Windows may be obtained from:
http://www.apple.com/itunes/download/

The download file is named:  "iTunesSetup.exe"
Its SHA-1 digest is:  56bc7f7d8f293e703fb3801cb07ec16aaaad20c5

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================