==================================================================== CERT-Renater Note d'Information No. 2019/VULN020 _____________________________________________________________________ DATE : 29/01/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows running iTunes versions prior to 12.9.3. ===================================================================== https://lists.apple.com/archives/security-announce/2019/Jan/msg00006.html _____________________________________________________________________ APPLE-SA-2019-1-24-1 iTunes 12.9.3 for Windows iTunes 12.9.3 for Windows is now available and addresses the following: AppleKeyStore Available for: Windows 7 and later Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption issue was addressed with improved validation. CVE-2019-6235: Brandon Azad Core Media Available for: Windows 7 and later Impact: A malicious application may be able to elevate privileges Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6221: Fluoroacetate working with Trend Micro's Zero Day Initiative SQLite Available for: Windows 7 and later Impact: A maliciously crafted SQL query may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2018-20346: Tencent Blade Team CVE-2018-20505: Tencent Blade Team CVE-2018-20506: Tencent Blade Team WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2019-6215: Lokihardt of Google Project Zero WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6212: an anonymous researcher, Wen Xu of SSLab at Georgia Tech CVE-2019-6216: Fluoroacetate working with Trend Micro's Zero Day Initiative CVE-2019-6217: Fluoroacetate working with Trend Micro's Zero Day Initiative, Proteas, Shrek_wzw, and Zhuo Liang of Qihoo 360 Nirvan Team CVE-2019-6226: Apple WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-6227: Qixun Zhao of Qihoo 360 Vulcan Team CVE-2019-6233: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative CVE-2019-6234: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved validation. CVE-2019-6229: Ryan Pickren (ryanpickren.com) Additional recognition WebKit We would like to acknowledge James Lee (@Windowsrcer) of Kryptos Logic for their assistance. Installation note: iTunes 12.9.3 for Windows may be obtained from: https://www.apple.com/itunes/download/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================