lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051115235254.GK8108@securityfocus.com>
Date: Tue, 15 Nov 2005 16:52:54 -0700
From: <noreply@...urityfocus.com>
To: bugtraq@...urityfocus.com
Subject: APPLE-SA-2005-11-15 iTunes 6 for Windows



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-11-15 iTunes 6 for Windows

CVE-ID: CVE-2005-2938

Available for: Microsoft Windows XP and Microsoft Windows 2000

Impact: iTunes 5 for Windows may launch the wrong helper program

Description: Due to the way iTunes 5 for Windows launches its helper
application, multiple system paths are searched to determine which
program to run. This may allow a malicious user on the local system
to create an environment where an alternate program will be executed
by iTunes.  This has already been addressed in the iTunes 6 release
for Windows, available from:
http://www.apple.com/itunes/download/

This advisory is being released at this time to coordinate with other
vendors whose products were also affected by their implementation of
the helper application launch mechanism.  Credit to iDEFENSE for
reporting this issue.

iTunes 6 for Windows may be obtained from:
http://www.apple.com/itunes/download/

The download file is named:  "iTunesSetup.exe"
Its SHA-1 digest is:  56bc7f7d8f293e703fb3801cb07ec16aaaad20c5

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)

iQEVAwUBQ3pxoIHaV5ucd/HdAQI+jQf/bWOoNxMlOTGB+wtv2P5DDKDH1r1aecwz
Kg5JfbApqTES/nFLE4mcnPfATVvhSXEQ0vgVEdYcf8u8p1LuvOYk4d5Tz/enBHDZ
un4j085guj7mnEUspEwtDdV8b9Y88fYrGCOk72UpRpwz5/ENJlo9F44ZAQljX7OX
TKYyDDqU1b7q3oWl6ziBPpmuOMDQ21tBs7QDZKmBd9U6dEg8JEWBo+OApnZMaaFF
MUU2ChDV3A0TFW4/Do8mgj8zP19r9hu24PMZMF0Qbrb+wP5/XvLYB9DRrXQVenWl
tVQBo4HDpSu2EHkyRvMonJ22Bu2MVks1MyG6v5Z8wQJvVMbknLhNKw==
=OcPv
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ