Software Update: Apple iTunes 12.10.8

Apple has released version 12.10.8 of iTunes. With this program it is possible to listen to music or watch movies and TV series. These can be purchased through the Apple iTunes internet music store. The program can also burn CDs and can be used to manage an iPod, iPhone or iPad. Apple’s iTunes is available for Windows 7 and newer. Version 12.10.8 should fix several security vulnerabilities.

ImageIO

• Impact: Processing a maliciously crafted image may lead to arbitrary code execution
• Description: An out-of-bounds write issue was addressed with improved bounds checking.
• CVE-2020-9871: Xingwei Lin of Ant-financial Light-Year Security Lab
• CVE-2020-9872: Xingwei Lin of Ant-financial Light-Year Security Lab
• CVE-2020-9874: Xingwei Lin of Ant-financial Light-Year Security Lab
• CVE-2020-9879: Xingwei Lin of Ant-Financial Light-Year Security Lab
• CVE-2020-9936: Mickey Jin or Trend Micro
• CVE-2020-9937: Xingwei Lin of Ant-Financial Light-Year Security Lab

ImageIO

• Impact: Processing a maliciously crafted image may lead to arbitrary code execution
• Description: An out-of-bounds read was addressed with improved input validation.
• CVE-2020-9873: Xingwei Lin of Ant-financial Light-Year Security Lab
• CVE-2020-9938: Xingwei Lin of Ant-financial Light-Year Security Lab

ImageIO

• Impact: Processing a maliciously crafted image may lead to arbitrary code execution
• Description: A buffer overflow issue was addressed with improved memory handling.
• CVE-2020-9919: Mickey Jin of Trend Micro

ImageIO

• Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
• Description: An out-of-bounds write issue was addressed with improved bounds checking.
• CVE-2020-9876: Mickey Jin of Trend Micro

ImageIO

• Impact: Processing a maliciously crafted image may lead to arbitrary code execution
• Description: An out-of-bounds read was addressed with improved bounds checking.
• CVE-2020-9877: Xingwei Lin of Ant-financial Light-Year Security Lab

ImageIO

• Impact: Processing a maliciously crafted image may lead to arbitrary code execution
• Description: An integer overflow was addressed through improved input validation.
• CVE-2020-9875: Mickey Jin of Trend Micro

WebKit

• Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
• Description: An out-of-bounds read was addressed with improved input validation.
• CVE-2020-9894:0011 working with Trend Micro Zero Day Initiative

WebKit

• Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
• Description: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions.
• CVE-2020-9915: Ayoub AIT ELMOKHTAR or Noon

WebKit

• Impact: Processing maliciously crafted web content may lead to universal cross site scripting
• Description: A logic issue was addressed with improved state management.
• CVE-2020-9925: an anonymous researcher

WebKit

• Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
• Description: A use after free issue was addressed with improved memory management.
• CVE-2020-9893:0011 working with Trend Micro Zero Day Initiative
• CVE-2020-9895: Wen Xu of SSLab, Georgia Tech

WebKit

• Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
• Description: Multiple issues were addressed with improved logic.
• CVE-2020-9910: Samuel Groß or Google Project Zero

WebKit Page Loading

• Impact: A malicious attacker may be able to conceal the destination of a URL
• Description: A URL Unicode encoding issue was addressed with improved state management.
• CVE-2020-9916: Rakesh Mane (@RakeshMane10)

WebKit Web Inspector

• Impact: Copying a URL from Web Inspector may lead to command injection
• Description: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping.
• CVE-2020-9862: Ophir Lojkine (@lovasoa)