#VU44209 Buffer overflow in iTunes - CVE-2012-0617

Cybersecurity Help s.r.o.

Published: 2012-03-09 | Updated: 2020-08-11

Vulnerability identifier: #VU44209

Vulnerability risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2012-0617

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
iTunes
Client/Desktop applications / Multimedia software

Vendor: Apple Inc.

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-03-07-1 and APPLE-SA-2012-03-07-2.

Mitigation
Install update from vendor's website.

Vulnerable software versions

iTunes: 10.0 - 10.5.3

External links
https://lists.apple.com/archives/security-announce/2012/Mar/msg00000.html
https://lists.apple.com/archives/security-announce/2012/Mar/msg00001.html
https://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html
https://osvdb.org/79939
https://secunia.com/advisories/48274
https://secunia.com/advisories/48288
https://secunia.com/advisories/48377
https://www.securityfocus.com/bid/52365
https://www.securitytracker.com/id?1026774
https://exchange.xforce.ibmcloud.com/vulnerabilities/73836
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17048

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Buffer overflow in Apple iTunes