Apple patches many vulnerabilities in iTunes

Summary:25 vulnerabilities are addressed in the new version 11.1.4. 24 of them affect only the Windows version of iTunes.

Apple has released iTunes version 11.1.4. The new version has a few feature improvements and a lot of security updates, nearly all on the Windows version only.

We couldn't locate release notes, but MacRumors reports them as saying:

    This version of iTunes adds the ability to see your Wish List while viewing your iTunes library, improves support for Arabic and Hebrew, and includes additional stability improvements.
reinstall[1]

There are 25 vulnerabilities fixed in total. One affects both the Mac and Windows iTunes clients, but it's not especially worrisome: "The contents of the iTunes Tutorials window are retrieved from the network using an unprotected HTTP connection. An attacker with a privileged network position may inject arbitrary contents." Horrible.

The others are all Windows-only. One could allow remote code execution through a malicious movie file. 16 are memory handling errors in WebKit, the browser engine behind Safari. The remaining seven vulnerabilities are old bugs in libxml and libxslt, widely-used code libraries. Six of the vulnerabilities were reported in 2012 and one in 2011. Leaving old code in products in this way is a common problem with Apple products.

Topics: Security, Apple

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.