APPLE-SA-2005-11-15 iTunes 6 for Windows

2005-11-16T00:00:00
ID SECURITYVULNS:DOC:10251
Type securityvulns
Reporter Securityvulns
Modified 2005-11-16T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

APPLE-SA-2005-11-15 iTunes 6 for Windows

CVE-ID: CVE-2005-2938

Available for: Microsoft Windows XP and Microsoft Windows 2000

Impact: iTunes 5 for Windows may launch the wrong helper program

Description: Due to the way iTunes 5 for Windows launches its helper application, multiple system paths are searched to determine which program to run. This may allow a malicious user on the local system to create an environment where an alternate program will be executed by iTunes. This has already been addressed in the iTunes 6 release for Windows, available from: http://www.apple.com/itunes/download/

This advisory is being released at this time to coordinate with other vendors whose products were also affected by their implementation of the helper application launch mechanism. Credit to iDEFENSE for reporting this issue.

iTunes 6 for Windows may be obtained from: http://www.apple.com/itunes/download/

The download file is named: "iTunesSetup.exe" Its SHA-1 digest is: 56bc7f7d8f293e703fb3801cb07ec16aaaad20c5

Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185)

iQEVAwUBQ3pxoIHaV5ucd/HdAQI+jQf/bWOoNxMlOTGB+wtv2P5DDKDH1r1aecwz Kg5JfbApqTES/nFLE4mcnPfATVvhSXEQ0vgVEdYcf8u8p1LuvOYk4d5Tz/enBHDZ un4j085guj7mnEUspEwtDdV8b9Y88fYrGCOk72UpRpwz5/ENJlo9F44ZAQljX7OX TKYyDDqU1b7q3oWl6ziBPpmuOMDQ21tBs7QDZKmBd9U6dEg8JEWBo+OApnZMaaFF MUU2ChDV3A0TFW4/Do8mgj8zP19r9hu24PMZMF0Qbrb+wP5/XvLYB9DRrXQVenWl tVQBo4HDpSu2EHkyRvMonJ22Bu2MVks1MyG6v5Z8wQJvVMbknLhNKw== =OcPv -----END PGP SIGNATURE-----