Apple Patches iTunes, iCloud for Windows, Xcode Server

Apple addressed vulnerabilities in iTunes and iCloud for Windows, and Xcode Server on Thursday.

Apple’s iTunes and iCloud software for Windows PCs received updates on Thursday for vulnerabilities that could allow for the disclosure of personal information and arbitrary code execution. In addition to the Windows fixes, Apple also alerted Mac and iOS app developers to nearly a dozen security issues tied to its Xcode Server platform.

Apple released version 12.5.2 of iTunes for Windows on Thursday. According to the company previous versions of iTunes compatible with Windows 7 and later are impacted by security flaws (CVE-2016-4613 and CVE-2016-7578) within the Apple’s webpage rendering engine WebKit. Both flaws are susceptible to maliciously crafted web content that could cause either arbitrary code execution or the disclosure of user information, Apple wrote in its advisory.

Those same flaws found within Apple’s WebKit rendering engine (CVE-2016-4613 and CVE-2016-7578) also impact iCloud for Windows prior to the release of version 6.0.1. Like the iTunes flaws, iCloud versions running on Windows 7 systems and later, are also vulnerable to maliciously crafted web content that could result in the disclosure of user information or arbitrary code execution. Both security issues have been fixed with the release of iCloud 6.0.1 released on Thursday.

Apple did not rate the severity of any of the security bulletins issued Thursday. The fixes come just days after Apple released a large number of security updates for macOS Sierra and vulnerabilities found in Safari, Apple Watch and Apple TV.

For security issues related to its Xcode Server 8.1 software, used by developers for building and testing iOS and Mac apps, Apple released ten CVE bulletins Thursday. Each are applicable to Xcode Server software running on OS X El Capitan v10.11.5 and later, according to Apple.

More specifically, the updates are for multiple issues that existed in Node.js in Xcode Server that could allow for a remote attacker to be able to cause unexpected application termination or arbitrary code execution, Apple said. Node.js is an open-source, cross-platform JavaScript runtime environment used to develop real-time web and mobile applications.

“Multiple issues existed in Node.js in Xcode Server. These issues were addressed by updating to Node.js version 4.5.0.,” Apple said.

Suggested articles

iOS Sync Glitch Lets Attackers Control Devices

Researchers found a new iOS vulnerability called “trustjacking,” which exploits a feature called iTunes Wi-Fi Sync to give attackers persistent control over victims’ devices.

Discussion

  • J on

    I have been researching this and many other major Apple security holes for the past 4 months. My findings are horrifying. There is still a zero day vulnerability in ios 10.1.1 and the recent beta versions of 10.2. The 12 major holes suppodedly patched by apple with the release of 10.1 did not work. Every iphone is vulnerable and there has been no fix. If you are a researcher and want to learn more about my findings before I release my report, email me. The malware is spreading so fast and will ultimately expose a ton of people...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.