06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Apple reveals 45 app and …
11.25.2024
Today, Apple revealed 45 app and game finalists for the 2024 App Store Awards.
All eyes on Apple as its …
06.05.2023
Apple is expected to unveil a mixed- or extended-reality (XR) headset at WWDC, its annual software developer conference on Monday, its first big move into a new product category since
How to reduce eye strain …
06.16.2023
With the upcoming iOS 17 release, Apple is introducing a new feature to alleviate eye strain. Here's how to enable it on your device.iOS 17 introduces Screen DistanceOver the years,
Oculus Rift inventor Palm…
06.08.2023
The inventor of the Oculus Rift VR headset and founder of Oculus VR (sold to Facebook for $2 billion in 2014), Palmer Luckey, calls the Apple Vision Pro spatial computer
Apple continues work on m…
05.18.2023
Apple has been working to mass-produce its own advanced micro-LED displays so it has more control over such a critical component of its products while also easing its reliance on
I entered Apple’s thrilli…
06.07.2023
Macworld At Apple’s WWDC23, I think I saw the future. [Pausing to ponder.] Yeah, I’m pretty sure I saw the future–or at least Apple’s vision of the future of computing.
Satechi’s new USB-C docki…
06.13.2023
Satechi this week is launching the latest addition to its stable of workstation gadgets, giving Mac owners another way to interface with all of their favorite peripherals. The new Triple
tvOS 17 helps you hear wh…
06.11.2023
A common complaint of late is that it’s hard to hear people in TV shows and movies these days, with character voices buried behind the cacophony of sound effects and
