06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
How to use the new Apple …
06.27.2023
In keeping with most of macOS Sonoma, Apple has only added minor updates to using PDFs in Notes — but you'll never want to go back.Apple Notes is a good
Apple inching closer to o…
05.04.2023
Apple CEO Tim Cook gave encouraging results for its Services business, saying the company is nearing one billion paid subscriptions, nearly double from three years ago.Apple nears a billion paid
Apple Vision Pro & iO…
06.06.2023
Apple hasn't just grown the number of people interested in headsets, it's given accessory makers a whole new market — and so has iOS 17.It's just calling out for a
Horror game ‘Layers…
05.19.2023
"Layers of Fear" is an upcoming first-person psychedelic horror game, and on launch day, it will be available with native support for Apple Silicon Mac computers."Layers of Fear"The new version
Give Mom some flowers &am…
05.04.2023
Apple's annual Mother's Day promotion for Apple Pay users is underway to assist users in saving money for purchasing flowers, chocolates, and other personalized gifts.Apple runs its annual Mother's Day
Historic Apple check sign…
05.11.2023
A rare and pristine Apple Computer Company check signed by Steve Jobs in 1976 fetched enough money to buy the owner a giant, six-carat diamond.A check signed by Steve JobsDated
Georgia residents can now…
05.18.2023
The state of Georgia has officially enabled support for digital driver's licenses and state IDs to be stored and used on Apple devices in airports.Georgia digital IDsIt's the fourth US
How to get started with m…
06.12.2023
AppleScript is Apple's powerful automation language for macOS. Here's how to use it to speed up your workflow when using your Mac.HistoryAppleScript was born in the early 1990's at Apple
