06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Apple launches the M2 Ult…
06.05.2023
Macworld Apple today introduced the new M2 Ultra processor as it completed its Apple silicon transition with the launch of the new Mac Pro. The Mac Pro has the same
Apple Vision Pro headset:…
06.05.2023
Macworld Apple’s announced the long rumored headset – which will be called Vision Pro, probably indicating that one day in the not so distant future we will see a less
Apple’s online stor…
06.05.2023
Backing up the expectation that new Macs will be announced at WWDC 2023, Apple has temporarily shut down its online store and posted a link to watch the keynote at
Apple’s latest iOS,…
05.18.2023
On Thursday, Apple's updates to all of its operating systems included some new features — but more importantly, a severe security flaw that was actively being exploited was stopped in
Snapchat stuffing ads in …
05.02.2023
Snap has heard the feedback about its not-always-welcome My AI feature and found the solution: ads! Pinning SnapchatGPT to the top of everyone’s chat list recently became a magnet for
Download the gorgeous Sal…
06.07.2023
Back in January, Basic Apple Guy released his beautiful Saltern Study wallpapers that were inspired by photographer David Burdeny. Now he’s released the gorgeous Saltern by Night wallpapers for iPhone,
How restore an iPhone fro…
06.29.2023
Macworld When you move to a new iPhone you don’t want to spend ages setting everything up from scratch to get the apps, data and settings just the way you
Top Stories: visionOS SDK…
06.24.2023
It's been two weeks since WWDC wrapped up, and this week saw Apple release the second round of betas of its upcoming operating system updates introduced at the conference, plus
