[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

APPLE-SA-2005-11-15 iTunes 6 for Windows

Subject: APPLE-SA-2005-11-15 iTunes 6 for Windows
From: Apple Product Security <email@hidden>
Date: Tue, 15 Nov 2005 15:40:54 -0800
Delivered-to: email@hidden
Delivered-to: email@hidden

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-11-15 iTunes 6 for Windows

CVE-ID: CVE-2005-2938

Available for: Microsoft Windows XP and Microsoft Windows 2000

Impact: iTunes 5 for Windows may launch the wrong helper program

Description: Due to the way iTunes 5 for Windows launches its helper
application, multiple system paths are searched to determine which
program to run. This may allow a malicious user on the local system
to create an environment where an alternate program will be executed
by iTunes.  This has already been addressed in the iTunes 6 release
for Windows, available from:
http://www.apple.com/itunes/download/

This advisory is being released at this time to coordinate with other
vendors whose products were also affected by their implementation of
the helper application launch mechanism.  Credit to iDEFENSE for
reporting this issue.

iTunes 6 for Windows may be obtained from:
http://www.apple.com/itunes/download/

The download file is named:  "iTunesSetup.exe"
Its SHA-1 digest is:  56bc7f7d8f293e703fb3801cb07ec16aaaad20c5

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)

iQEVAwUBQ3pxoIHaV5ucd/HdAQI+jQf/bWOoNxMlOTGB+wtv2P5DDKDH1r1aecwz
Kg5JfbApqTES/nFLE4mcnPfATVvhSXEQ0vgVEdYcf8u8p1LuvOYk4d5Tz/enBHDZ
un4j085guj7mnEUspEwtDdV8b9Y88fYrGCOk72UpRpwz5/ENJlo9F44ZAQljX7OX
TKYyDDqU1b7q3oWl6ziBPpmuOMDQ21tBs7QDZKmBd9U6dEg8JEWBo+OApnZMaaFF
MUU2ChDV3A0TFW4/Do8mgj8zP19r9hu24PMZMF0Qbrb+wP5/XvLYB9DRrXQVenWl
tVQBo4HDpSu2EHkyRvMonJ22Bu2MVks1MyG6v5Z8wQJvVMbknLhNKw==
=OcPv
-----END PGP SIGNATURE-----

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/email@hidden

This email sent to email@hidden

Prev by Date: APPLE-SA-2005-11-04 QuickTime 7.0.3
Next by Date: APPLE-SA-2005-11-29 Security Update 2005-009
Previous by thread: APPLE-SA-2005-11-04 QuickTime 7.0.3
Next by thread: APPLE-SA-2005-11-29 Security Update 2005-009
Index(es):
- Date
- Thread

Home