A security researcher has claimed that recently released iTunes 12.0.1 for Windows comes with atleast 45 unpatched vulnerabilities many which are as old as seven years.
The vulnerabilities are present in iTunes 12.0.1 due to the fact that it contains outdated and vulnerable 3rd party libraries in AppleMobileDeviceSupport.msi claims Stefan Kanthak according to this full disclosure post.
Kanthak notes in the post that two libraries – libeay32.dll and ssleay32.dll 0.9.8d – are more than seven years old and come with atleast 27 unvfixed CVEs, and libcurl.dll 7.16.2, which is also more than seven years old, has at least 18 unfixed CVEs.
He had raised the issue back in July 2014 for iTunes 11.2.2 for Windows wherein he noted that the outdated libraries had atleast 66 vulnerabilities, but seems that those have reduced to at least 45 as Apple seems to have either worked on or removed the affected libraries.
