iTunes < 12.6.2 Multiple Vulnerabilities

Versions of iTunes prior to 12.6.2 are affected by the following vulnerabilities:

• Multiple out-of-bounds read errors exist in the libxml2 component due to improper handling of specially crafted XML documents. An unauthenticated, remote attacker can exploit these to disclose user information. (CVE-2017-7010, CVE-2017-7013)
• Multiple memory corruption issues exist in the Webkit Web Inspector component due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, via a specially crafted web page, to corrupt memory, resulting in the execution of arbitrary code. (CVE-2017-7012)
• Multiple memory corruption issues exist in the WebKit component due to improper validation of input. An unauthenticated, remote attacker can exploit these issues, via a specially crafted web page, to execute arbitrary code. (CVE-2017-7018, CVE-2017-7020, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7039, CVE-2017-7040, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7046, CVE-2017-7048, CVE-2017-7049, CVE-2017-7052, CVE-2017-7055, CVE-2017-7056, CVE-2017-7061)
• A memory corruption issue exists in the ‘WebKit Page Loading’ component due to improper validation of input. An unauthenticated, remote attacker can exploit this, via a specially crafted web page, to execute arbitrary code. (CVE-2017-7019)
• A flaw exists in the iPodService component when handling the iPodManager COM control due to insufficient access restrictions. A local attacker can exploit this to execute arbitrary code with system privileges. (CVE-2017-7053)
• An unspecified memory initialization issue exists in Webkit. A local attacker can exploit this, via a specially crafted application, to disclose the contents of restricted memory. (CVE-2017-7064)