Apple recently released iTunes 11.0.3 with a number of cosmetic improvements including an updated MiniPlayer and songs view. However, this release is more than just a pretty face, bringing a number of security patches which address a wide range of vulnerabilities. Even users not interested in the visual treatments will want to grab this update.
Out of all 40 of the vulnerabilities listed in Apple’s article detailing the security content of the update, only one of them affected Mac users. The remaining 39 vulnerabilities addressed in this iTunes release only affected Windows users. Though this doesn’t mean that it’s not important to update if you’re a Mac user. The bug fixed for OS X users addresses an issue with certificate validation, where iTunes could accept an untrusted SSL certificate without alerting the user, potentially leading to intercepted or maliciously altered traffic.
Windows users were also affected by the certificate validation bug, as well as a significant number of memory corruption bugs in WebKit. These bugs could allow for a man-in-the-middle attack and potentially lead to arbitrary code execution on a user’s computer. While specific details aren’t available for all of the fixed bugs, a number of them seem to have been previously patched in iOS and Safari and are not particularly new. In fact, details of the oldest bug on the list were first discovered over a year ago, and fixed in iOS and Safari earlier this year.
If you haven’t already updated iTunes, you can update to 11.0.3 with iTunes’ “Check for Updates...” option or grab it straight from the iTunes download page.