Apple Patches iTunes, iCloud for Windows, Xcode Server

2016-10-28T11:52:43
ID THREATPOST:D3661C27A50E52396D07D6CD0036AF9F
Type threatpost
Reporter Tom Spring
Modified 2016-10-28T16:00:16

Description

Apple’s iTunes and iCloud software for Windows PCs received updates on Thursday for vulnerabilities that could allow for the disclosure of personal information and arbitrary code execution. In addition to the Windows fixes, Apple also alerted Mac and iOS app developers to nearly a dozen security issues tied to its Xcode Server platform.

Apple released version 12.5.2 of iTunes for Windows on Thursday. According to the company previous versions of iTunes compatible with Windows 7 and later are impacted by security flaws (CVE-2016-4613 and CVE-2016-7578) within the Apple’s webpage rendering engine WebKit. Both flaws are susceptible to maliciously crafted web content that could cause either arbitrary code execution or the disclosure of user information, Apple wrote in its advisory.

Those same flaws found within Apple’s WebKit rendering engine (CVE-2016-4613 and CVE-2016-7578) also impact iCloud for Windows prior to the release of version 6.0.1. Like the iTunes flaws, iCloud versions running on Windows 7 systems and later, are also vulnerable to maliciously crafted web content that could result in the disclosure of user information or arbitrary code execution. Both security issues have been fixed with the release of iCloud 6.0.1 released on Thursday.

Apple did not rate the severity of any of the security bulletins issued Thursday. The fixes come just days after Apple released a large number of security updates for macOS Sierra and vulnerabilities found in Safari, Apple Watch and Apple TV.

For security issues related to its Xcode Server 8.1 software, used by developers for building and testing iOS and Mac apps, Apple released ten CVE bulletins Thursday. Each are applicable to Xcode Server software running on OS X El Capitan v10.11.5 and later, according to Apple.

More specifically, the updates are for multiple issues that existed in Node.js in Xcode Server that could allow for a remote attacker to be able to cause unexpected application termination or arbitrary code execution, Apple said. Node.js is an open-source, cross-platform JavaScript runtime environment used to develop real-time web and mobile applications.

“Multiple issues existed in Node.js in Xcode Server. These issues were addressed by updating to Node.js version 4.5.0.,” Apple said.