The vulnerability in the Windows version of iTunes, CVE-2012-5112, was used in conjunction with a second flaw to bring teen hacker Pinkie Pie fame for compromising Chrome in Google’s 2012 hacking contest.
The update also patches a certificate validation issue. In certain contexts, an active network attacker could present untrusted certificates to iTunes and they would be accepted without warning – allowing the person to execute arbitrary code.
Also notable is an update that fixes multiple memory corruption issues in WebKit that could enable a man-in-the-middle attack on consumers browsing the iTunes Store via iTunes, which could lead to an unexpected application termination or arbitrary code execution.
Chester Wisniewski, a senior security advisor at Sophos Canada, pointed out in a blog that this vulnerability has been known and has gone unpatched for more than a year. CVE-2012-2824 was first reported on April 27 2012, by miaubiz and was fixed in Google Chrome's implementation of WebKit just two months later – no such luck with Apple.
“iTunes renders a lot of HTML and Mac users already have the WebKit-based browser, Safari, installed on their Macs,” said Wisniewski. “The Windows version of iTunes cannot rely on the Safari version of WebKit being present (thank God Apple doesn't require Safari to be installed), so Apple includes the needed libraries inside of the iTunes for Windows package.”
Wisniewski said that it’s a "use after free" vulnerability in the SVG parsing code in WebKit, with a CVSS severity score of 10, which means it’s considered easy to remotely exploit and could result in remote code execution.
“What is unclear is why Apple has waited for so long to release these fixes for Windows users of iTunes,” he said. “The point is you should update iTunes now, especially if you are a Windows user who needs it to manage your music, movies, TV shows, iPad or iPod.”