Endpoint Vulnerability

Security update HT207158 for iTunes

Description

A parsing issue existed in the handling of error prototypes. This was addressed through improved validation. A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks. Multiple memory corruption issues were addressed through improved memory handling. Safari's support of HTTP/0.9 allowed cross-protocol exploitation of non-HTTP services using DNS rebinding. The issue was addressed by restricting HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version. A memory corruption issue was addressed through improved state management. A certificate validation issue existed in the handling of WKWebView. This issue was addressed through improved validation. A memory corruption issue was addressed through improved input validation.

Affected Products

iTunes