Rapid7 Vulnerability & Exploit Database

Apple iTunes security update for CVE-2008-3636

Back to Search

Apple iTunes security update for CVE-2008-3636

Severity
7
CVSS
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Published
09/10/2008
Created
07/25/2018
Added
01/03/2012
Modified
06/20/2019

Description

Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\.\GEARAspiWDMDevice in this GEARAspiWDM.sys. However, the root cause is the integer overflow in the API call itself.

Solution(s)

  • apple-itunes-upgrade-8_0

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;