—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

APPLE-SA-2019-1-24-1 iTunes 12.9.3 for Windows

iTunes 12.9.3 for Windows is now available and addresses the
following:

AppleKeyStore
Available for: Windows 7 and later
Impact: A sandboxed process may be able to circumvent sandbox
restrictions
Description: A memory corruption issue was addressed with improved
validation.
CVE-2019-6235: Brandon Azad

Core Media
Available for: Windows 7 and later
Impact: A malicious application may be able to elevate privileges
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-6221: Fluoroacetate working with Trend Micro’s Zero Day
Initiative

SQLite
Available for: Windows 7 and later
Impact: A maliciously crafted SQL query may lead to arbitrary code
execution
Description: Multiple memory corruption issues were addressed with
improved input validation.
CVE-2018-20346: Tencent Blade Team
CVE-2018-20505: Tencent Blade Team
CVE-2018-20506: Tencent Blade Team

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2019-6215: Lokihardt of Google Project Zero

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-6212: an anonymous researcher, Wen Xu of SSLab at Georgia
Tech
CVE-2019-6216: Fluoroacetate working with Trend Micro’s Zero Day
Initiative
CVE-2019-6217: Fluoroacetate working with Trend Micro’s Zero Day
Initiative, Proteas, Shrek_wzw, and Zhuo Liang of Qihoo 360 Nirvan
Team
CVE-2019-6226: Apple

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-6227: Qixun Zhao of Qihoo 360 Vulcan Team
CVE-2019-6233: G. Geshev from MWR Labs working with Trend Micro’s
Zero Day Initiative
CVE-2019-6234: G. Geshev from MWR Labs working with Trend Micro’s
Zero Day Initiative

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved validation.
CVE-2019-6229: Ryan Pickren (ryanpickren.com)

Additional recognition

WebKit
We would like to acknowledge James Lee (@Windowsrcer) of Kryptos
Logic for their assistance.

Installation note:

iTunes 12.9.3 for Windows may be obtained from:
https://www.apple.com/itunes/download/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
—–BEGIN PGP SIGNATURE—–

iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlxHSSspHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3Fqrw//
UGoOTT5g9pxIejFnbQUY6QOoLfSOPZHSPZUZVerZbXdEbEqks5+/7HJMikogBc+0
Rh58V0qKWeE+lLTAVwRDpm2TA427z4o1fz00ExhlD2L8wPKZ8Apx522NS+X+boOk
PtXm57zCL/FrIu9zX0V3V05NNZNrI5ycS5YfAVDlCOnVkKPqIYhBh0q0ZEeemGEK
ifyTPkIG8hjtlzoFapgckzDVeSd+txIUdiY/T+wnWcDkKXU/ADEMrTur3c8LKhKC
G13FWWa0LWcJwNd94EpPGZ8hk0oH5h6WFvf6yheeTyK0nYo4j0m6KZI8TMADrMTt
G//Rx1rQLxYZXTt5IlKw8WLp5LC4/PydQptyzlatjdj20mB6efkqm4y6YZvc5Irk
4nr4+VJ/w/hVTfbkxt+zTVTQgka+3ubZ0x2C8s2vq2jYzqJwc4ZhMlCoW2kEEtL5
2AmKleX70SJD3UvRirIp23KDyCkKCXeqB/XcZVXaNUIOBoTTJrzUpfrDXN6d8mRP
4lylBHnTnkP3laQe51ZgS5oxE3AzqUlvnC2iSdb5e1Cvlchof+Ma/w13K/FR95Y/
k0qY4Xxec7DZSoMt3AKzH6uMY4gyIpGSGn1Gn80K0CEer5EF94pFArXwKyROZgia
7Qd0/V4bhj18d5fiDDWpazPqjaasRrx0HMUz4K5kfbg=
=A1td
—–END PGP SIGNATURE—–

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)