—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

APPLE-SA-2016-09-20-7 iTunes 12.5.1 for Windows

The iTunes 12.5.1 for Windows advisory has been released to describe
the entries below:

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A parsing issue existed in the handling of error
prototypes. This was addressed through improved validation.
CVE-2016-4728: Daniel Divricean
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: Visiting a maliciously crafted website may leak sensitive
data
Description: A permissions issue existed in the handling of the
location variable. This was addressed though additional ownership
checks.
CVE-2016-4758: Masato Kinugawa of Cure53
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed through
improved memory handling.
CVE-2016-4759: Tongbo Luo of Palo Alto Networks
CVE-2016-4762: Zheng Huang of Baidu Security Lab
CVE-2016-4766: Apple
CVE-2016-4767: Apple
CVE-2016-4768: Anonymous working with Trend Micro’s Zero Day
Initiative
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: A malicious website may be able to access non-HTTP services
Description: Safari’s support of HTTP/0.9 allowed cross-protocol
exploitation of non-HTTP services using DNS rebinding. The issue was
addressed by restricting HTTP/0.9 responses to default ports and
canceling resource loads if the document was loaded with a different
HTTP protocol version.
CVE-2016-4760: Jordan Milne
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
state management.
CVE-2016-4765: Apple
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: An attacker in a privileged network position may be able to
intercept and alter network traffic to applications using WKWebView
with HTTPS
Description: A certificate validation issue existed in the handling
of WKWebView. This issue was addressed through improved validation.
CVE-2016-4763: an anonymous researcher
Entry added September 20, 2016

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2016-4769: Tongbo Luo of Palo Alto Networks
Entry added September 20, 2016

iTunes 12.5.1 for Windows may be obtained from:
https://www.apple.com/itunes/download/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
—–BEGIN PGP SIGNATURE—–
Comment: GPGTools – https://gpgtools.org

iQIcBAEBCgAGBQJX4YajAAoJEIOj74w0bLRGr/wQAIHNxCUBqgM8tAzB/NSHg1ya
QNXaeYT93j0CfzBHfuc9oAOSBfYbV0DM9/Vtj6MbYBl+z2NjEG1tBqEGpUP4m8Pj
9rCyVTyAbpK83xO3gArEmxR6YgE7DIdlP69dX3Fn4xIC96K71anYDIkdNaseml5S
+nagEtS2KFcDKrIrKFZCzyuKxyiWKqhEKBgo4WQpjsFvXTf/gZCd7wjMQgVRBxUM
NczHETeWAFg3uUoIB6R7bDwAJoEP7edWvQQUSd/vHQqcqJfqf98HwJnRXsrfIUVr
wcyX0HIDbwdmw87CiQyqWwZ9TDc5PRg1PRp4b+wxnerNVocYxJOE7Nwpnk9JBvEj
IuG6IsM9qEWwajvS35w9tQ0YObITXo/ilFRImqg/NwoCVl3BOS1niiyZA5Kc4ghI
eXTbPHRL/9sRSxGWuEpkl1PSTsKpXx0FRm2q67bG/9VQmexPdM4ghzae4ENhOSWv
pc8mvLH9cp1XKAbc1Qhsk5tJSH3RHM9GFtMbeVAFMsYbVMD+tVssj4WYr8BiJg1x
q+zaYpMF9mMtZONtr7KUJUuNLKKyvv4nZBm1GbZ9gz8glLQGlykmWU3dcXhxfulL
hzAnk3FHVvGs6yYoJASY0WFMPLNz/7XZMS+Pm5MkTCdUJ1H6wvmUGdgchFp2bR2P
tOUXttL4qy5/8JByAW2+
=Ijgf
—–END PGP SIGNATURE—–

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)