Apple patches many vulnerabilities in iTunes

Apple patches many vulnerabilities in iTunes

Summary: 25 vulnerabilities are addressed in the new version 11.1.4. 24 of them affect only the Windows version of iTunes.

TOPICS: Security, Apple

Apple has released iTunes version 11.1.4. The new version has a few feature improvements and a lot of security updates, nearly all on the Windows version only.

We couldn't locate release notes, but MacRumors reports them as saying:

    This version of iTunes adds the ability to see your Wish List while viewing your iTunes library, improves support for Arabic and Hebrew, and includes additional stability improvements.

There are 25 vulnerabilities fixed in total. One affects both the Mac and Windows iTunes clients, but it's not especially worrisome: "The contents of the iTunes Tutorials window are retrieved from the network using an unprotected HTTP connection. An attacker with a privileged network position may inject arbitrary contents." Horrible.

The others are all Windows-only. One could allow remote code execution through a malicious movie file. 16 are memory handling errors in WebKit, the browser engine behind Safari. The remaining seven vulnerabilities are old bugs in libxml and libxslt, widely-used code libraries. Six of the vulnerabilities were reported in 2012 and one in 2011. Leaving old code in products in this way is a common problem with Apple products.

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Apple Pathes Vulnerabilities

    That's good, but did they make their software any less sucky on Windows machines?
    • Except the update has completely crashed iTunes on my PC

      Even after repeatedly after uninstalling and then reinstalling the program it doesn't work.
  • Six of the vulnerabilities were reported in 2012 and one in 2011

    Leaving old code in products in this way is a common problem with Apple products.

    Exactly. Vulnerabilities left unpatched for 2-3 years. Apple sets the gold standard for unpatched vulnerabilities.
  • Apple patches many vulnerabilities in iTunes

    25 vulnerabilities seems like a lot when talking about a stand alone application. Apple should rewrite or at least slim down iTunes. Maybe that will take out some of the vulnerabilities with it.
    • The only thing I see going south with that

      is that iTunes is a pretty comprehensive media manager and server, running a database engine (probably SQL) to keep track of those 300,000 songs, 12,000 episodes of TV, and 4,200 movies you've downloaded over the years, Lovie. Windows Media would choke on a library that size, as would pretty much any other program that does everything iTunes does in the background.
  • Good article

    BAD ads. 2 of the 3 "Sponsored Links" are for websites that install browser hijacker toolbars. Both say "recommended" on them. I'm smart enough to recognize a scam when I see one, but not all of your users are.

    Do better, ZDnet! Your reputation as a safe website is at stake. I saw the same thing happen to CNet and, and with all the crapware bundling and featured scamware on, I can no longer trust the safety of those programs, so I don't go there anymore.
  • Latest patch is a mess

    I've had iTunes on my Windows 7 desktop for years with no issues. This latest update (11.1.4) won't install and completely blew up my existing iTunes to where it won't start up at all.

    If you're a Windows 7 user, I would advise against installing the 11.1.4 update.
    • Be sure to get help if needed to install this patch

      Not installing can't be a sensible response, nor any kind of good advice given the improvements here, and thus hazards from attackers using the evidenced vulnerabilities if you don't keep up to date.

      The upgrade installed easily here, and no doubt on many, many machines.

      If you have a problem, Apple phone support is free, and very good. In my experience, they will proceed on a problem until it is fixed, including any that have to do with their own servers or old iTunes accounts, etc..
      Narr vi
    • iTunes broke for me as well...

      ...but eventually, I just uninstalled iTunes along with Apple's "Mobile Device Support" program. Then I went to the Apple website and downloaded a fresh copy. I's been working horribly ever since. This is nothing new, so on my PC, the status quo has been restored.
    • Patch Removed Something Vital

      My iTunes had been working just fine. I opened up iTunes the other night and it asked if I wanted to install the latest patch. I said yes, as I usually do. During the process, iTunes crashes, giving me an error message: "Error 7 (Windows error 126)", the file MSVCR80.dll is missing. Every attempt to open iTunes results in the same message. I uninstalled, then re-installed. Same result.

      Now I'm busy trying to figure out how to replace this dll file, with no iTunes, and thus no way to update the podcasts on my iPod that I listen to at work. Also, in my hunting around for a solution, I've found that I'm not the only person this has happened to with this update, and it's apparently a repeat of a problem that Apple caused back in 2011.
      Devin Parker
      • Fixed It

        Here's what worked for me, advice I found from the poster turingtest2 on the Apple Support Communities:

        Go to Control Panel > Add or Remove Programs (Windows XP) or Programs and Features (later versions of Windows)

        Remove all of these items in the following order:
        1. iTunes
        2. Apple Software Update
        3. Apple Mobile Device Support
        4. Bonjour
        5. Apple Application Support

        Reboot, download iTunes from the Apple site, then reinstall, either using an account with administrative rights or right-clicking the downloaded installer and selecting Run As Administrator.

        That seemed to do the trick for me. iTunes is back on my computer and I'm downloading podcasts once more.
        Devin Parker
  • Nice in theory, but won't install

    I've tried a couple of times today. Won't Install, won't run.
    Maybe next week there'll be a fix.
  • iTune 11.1.4

    I have been unable to install in my Windows 7 64 bit. A manual install was recommended.That did not work either.
  • iTunes 11.1.4 Upgrade Repair and Release Notes

    Here are the full (?) release notes for iTunes 11.1.4 I just found at Apple:

    About the security content of iTunes 11.1.4

    Also, I have a Windows 7 x64 system and last night trying to do the version upgrade my iTunes bombed out bad.

    I was able to get it restored and upgraded by going though this repair process:

    QuickPost: Apple iTunes 11.1.4 Update Runtime error R6034

    Hopefully it helps someone...

    • self edit

      I just realized that the reference to the security info was already linked in the article. My bad.

      I suppose "release notes" does not equal "security content info".

  • iTune 11.1.4 crash

    Add me to the list of system crashes after 11.1.4 "installed" -- which it of course failed to do yet took MSVCR80.dll into the bit bucket along with it. Steve Jobs, I know you're dead -- but you and all your hardware and software and website still suck!
  • AGAIN - iTune 11.1.4 Crash Problem - Everywhere !

    Folks: 1-26-14 3 pm EST

    Here is a suggested fix from the Apple Discussions forum (by 'turingtest2') - seems to work for most folks. I'm next to try it !!

    Go to Control Panel > Add or Remove Programs (Win XP) or Programs and Features (later)

    Remove all of these items in the following order:
    •Apple Software Update
    •Apple Mobile Device Support (if this won't uninstall go to the next item)
    •Apple Application Support

    Reboot, download iTunes, then reinstall, either using an account with administrative rights, or right-clicking the downloaded installer and selecting Run as Administrator.

    The uninstall and reinstall process will preserve your iTunes library and settings, but ideally you would back up the library and your other important personal documents and data on a regular basis. See this user tip for a suggested technique.

    Please note:
    Some users may need to follow all the steps in whichever of the following support documents applies to their system. These include some additional manual file and folder deletions not mentioned above.

    HT1925: Removing and Reinstalling iTunes for Windows XP

    HT1923: Removing and reinstalling iTunes for Windows Vista, Windows 7, or Windows 8
    Should you get the error iTunes.exe - Entry Point Not Found after the above then search the computer for copies of the file QTMovieWin.dll - you should only have one copy in the relevant folder for your system.

    C:\Program Files\Common Files\Apple\Apple Application Support (32-bit Windows)

    C:\Program Files (x86)\Common Files\Apple\Apple Application Support (62-bit Windows)

    Delete any others and not only should this fix the problem, but prevent it from recuring on subsequent updates.

  • A week later and still broken

    One would think that Apple would put a hold on this update
    I have had many calls about the "msvcr80.dll missing error" because of this update
    Do not download it