Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-3434

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2008-3434
Last Modified 02 Nov 2013 10:39:03
Published 01 Aug 2008 10:41:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-3434

Summary

Apple iTunes before 10.5.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.

Vulnerable Systems

Application

  • Apple Itunes 1.0

  • Apple Itunes 1.1

  • Apple Itunes 1.1.1

  • Apple Itunes 1.1.2

  • Apple Itunes 2.0

  • Apple Itunes 2.0.1

  • Apple Itunes 2.0.2

  • Apple Itunes 2.0.3

  • Apple Itunes 2.0.4

  • Apple Itunes 3.0

  • Apple Itunes 3.0.1

  • Apple Itunes 4.0

  • Apple Itunes 4.0.1

  • Apple Itunes 4.1

  • Apple Itunes 4.2

  • Apple Itunes 4.5

  • Apple Itunes 4.6

  • Apple Itunes 4.7

  • Apple Itunes 4.7.1

  • Apple Itunes 4.8

  • Apple Itunes 4.9

  • Apple Itunes 5.0

  • Apple Itunes 5.0.1

  • Apple Itunes 6.0

  • Apple Itunes 6.0.1

  • Apple Itunes 6.0.2

  • Apple Itunes 6.0.3

  • Apple Itunes 6.0.4

  • Apple Itunes 6.0.4.2

  • Apple Itunes 6.0.5


References

MISC - http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf

CONFIRM - http://support.apple.com/kb/HT5030

APPLE - APPLE-SA-2011-11-14-1

FULLDISC - 20080728 Tool release: [evilgrade] - Using DNS cache poisoning to exploit poor update implementations

Related Patches

Apple 2011-11-14 iTunes 10.5.1 for Mac (Update) (See Notes)

Apple iTunes 10.5.1 for Windows (Update) (All Languages) (See Notes)


Last Updated: 27 May 2016 10:48:12