Yes, and no. Windows 7, which iTunes still supports, does not have a system implementation of SQLite but Microsoft is updating SQLite in Windows 10, and that relieves developers of the need to update their applications in response to SQLite updates. Should make the developer's life easier, and possibly make applications that use SQLite to store data safer.
Over on our Mac side of the fence, if there are Mac applications that "call" the embedded 3.16 SQLite in Sierra, then add their own FTS3 plugin, those developers would have to go further, disconnect from the 3.16 version in Sierra, and package SQLite into their applications. Not going to happen with the black crepe for Sierra already on order.Windows (.com) said:Using SQLite databases in UWP apps
Since the Windows 10 Anniversary Update (Build 14393), SQLite has also shipped as part of the Windows SDK. . . . This comes with some advantages:
- Your application size reduces since you don’t download your own SQLite binary and package it as part of your application . . .
- You can depend on the Windows team to update the version of SQLite running on the operating system with every release of Windows.
As to Todd's comments that the listed versions of iTunes with SQLite vulnerabilities were "Windows only", iTunes 12.8 is listed. There's a Windows 12.8 and, apparently, a Mac 12.8. Confusion reigns, when I'd like certainty on security issues.
Even as I was typing this post, Ric added more about macOS vulnerabilities, the most stunning the hack into Keychain on Mojave 10.14.3 - with an app that looks a lot like an SQLite interface (?).The Mac Observer said:Apple Releases iTunes 12.8 with AirPlay 2 Support (July 10, 2018)
Along with macOS High Sierra 10.13.6, Apple released iTunes 12.8 . . .
That obfuscation is classic Apple secrecy-obsession. It won't keep "bad guys" from testing their malware against a patched Mac, but it doesn't allow end-users to know if Macs are vulnerable to the latest known threats. Be interesting to know if developers of known applications like Malwarebytes are informed by Apple what MRT is blocking. Might save duplicate work, and avoid complications when two different applications are trying to intercept the same malware.Another undocumented update to Apple's invisible anti-malware mechanism: . . . it now obfuscates the names of malware which it can detect and remove
Wander thorough Apple's "security pages" and in a couple of clicks you'll confront the one security Mac recommendation highlighted above all others: "Upgrade to Mojave 10.14.3"
Could it be that the keychain on my MacBook Pro orphaned on El Capitan is safer than on the latest version of Mojave?