==================================================================== CERT-Renater Note d'Information No. 2020/VULN159 _____________________________________________________________________ DATE : 25/03/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows running iTunes versions prior to 12.10.5. ===================================================================== https://lists.apple.com/archives/security-announce/2020/Mar/msg00005.html _____________________________________________________________________ APPLE-SA-2020-03-24-6 iTunes for Windows 12.10.5 iTunes for Windows 12.10.5 is now available and addresses the following: libxml2 Available for: Windows 7 and later Impact: Multiple issues in libxml2 Description: A buffer overflow was addressed with improved size validation. CVE-2020-3910: LGTM.com libxml2 Available for: Windows 7 and later Impact: Multiple issues in libxml2 Description: A buffer overflow was addressed with improved bounds checking. CVE-2020-3909: LGTM.com CVE-2020-3911: found by OSS-Fuzz WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2020-3901: Benjamin Randazzo (@____benjamin) WebKit Available for: Windows 7 and later Impact: A download's origin may be incorrectly associated Description: A logic issue was addressed with improved restrictions. CVE-2020-3887: Ryan Pickren (ryanpickren.com) WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2020-3895: grigoritchy CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech WebKit Available for: Windows 7 and later Impact: An application may be able to read restricted memory Description: A race condition was addressed with additional validation. CVE-2020-3894: Sergei Glazunov of Google Project Zero WebKit Available for: Windows 7 and later Impact: A remote attacker may be able to cause arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-9783: Apple WebKit Available for: Windows 7 and later Impact: A remote attacker may be able to cause arbitrary code execution Description: A memory consumption issue was addressed with improved memory handling. CVE-2020-3899: found by OSS-Fuzz WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: An input validation issue was addressed with improved input validation. CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit) WebKit Page Loading Available for: Windows 7 and later Impact: A file URL may be incorrectly processed Description: A logic issue was addressed with improved restrictions. CVE-2020-3885: Ryan Pickren (ryanpickren.com) Additional recognition WebKit We would like to acknowledge Emilio Cobos Álvarez of Mozilla, Samuel Groß of Google Project Zero, and an anonymous researcher for their assistance. Installation note: iTunes for Windows 12.10.5 may be obtained from: https://www.apple.com/itunes/download/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================