Apple patches many vulnerabilities in iTunes

25 vulnerabilities are addressed in the new version 11.1.4. 24 of them affect only the Windows version of iTunes.

Apple has released iTunes version 11.1.4. The new version has a few feature improvements and a lot of security updates, nearly all on the Windows version only.

We couldn't locate release notes, but MacRumors reports them as saying:

    This version of iTunes adds the ability to see your Wish List while viewing your iTunes library, improves support for Arabic and Hebrew, and includes additional stability improvements.

There are 25 vulnerabilities fixed in total. One affects both the Mac and Windows iTunes clients, but it's not especially worrisome: "The contents of the iTunes Tutorials window are retrieved from the network using an unprotected HTTP connection. An attacker with a privileged network position may inject arbitrary contents." Horrible.

The others are all Windows-only. One could allow remote code execution through a malicious movie file. 16 are memory handling errors in WebKit, the browser engine behind Safari. The remaining seven vulnerabilities are old bugs in libxml and libxslt, widely-used code libraries. Six of the vulnerabilities were reported in 2012 and one in 2011. Leaving old code in products in this way is a common problem with Apple products.