Apple Releases iTunes 11.1.4 for Mac and Windows
Posted on
by
Derek Erwin
This week, Apple released iTunes 11.1.4 for Macintosh and Windows platforms. These software updates fix a combined 25 bugs with 1 flaw resolved in iTunes for Mac OS X 10.6.8 or later, and an additional 24 flaws resolved just for Windows 8, Windows 7, Vista, XP SP2 or later.
Apart from the security updates, as you can see prominently mentioned in the iTunes 11.1.4 release note, Apple purportedly now lets you see your Wish List while viewing your iTunes library. Previously, you were limited to only see your Wish List from the purview of the iTunes Store. And, well, that appears to still be the case. (Jan 27 update: It is finally showing up now.) But I digress, and back to security we go.
The iTunes versions available for Mac OS X 10.6.8 or later, Windows 8, Windows 7, Vista, XP SP2 or later addresses a vulnerability in which an attacker with a privileged network position may control the contents of the iTunes Tutorials window. Apple describes the vulnerability as follows:
CVE-2014-1242 : The contents of the iTunes Tutorials window are retrieved from the network using an unprotected HTTP connection. An attacker with a privileged network position may inject arbitrary contents. This issue was addressed by using an encrypted HTTPS connection to retrieve tutorials.
The iTunes versions available for Windows 8, Windows 7, Vista, XP SP2 or later addresses the following vulnerabilities:
- CVE-2013-1037, CVE-2013-1038, CVE-2013-1039, CVE-2013-1040, CVE-2013-1041, CVE-2013-1042, CVE-2013-1043, CVE-2013-1044, CVE-2013-1045, CVE-2013-1046, CVE-2013-1047, CVE-2013-2842, CVE-2013-5125, CVE-2013-5126, CVE-2013-5127, CVE-2013-5128 : A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
- CVE-2011-3102, CVE-2012-0841, CVE-2012-2807, CVE-2012-5134 : A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in libxml. These issues were addressed by updating libxml to version 2.9.0.
- CVE-2012-2825, CVE-2012-2870, CVE-2012-2871 : A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in libxslt. These issues were addressed by updating libxslt to version 1.1.28.
Mac users can download the update now via OS X’s built-in Software Update feature, or from the iTunes 11.1.4 Downloads page. Windows 64-bit users can get the update from the iTunes 11.1.4 for Windows (64-bit) Downloads page.