Endpoint Vulnerability

Security update HT6245 for iTunes

Description

Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines. A memory corruption issue existed in iTunes MP4 parsing. This issue was addressed through additional bounds checking.

Affected Products

iTunes