06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Multiview now available f…
05.18.2023
Thursday, Apple launched the multiview feature on Apple TV 4K, allowing sports fans the ability to watch up to four simultaneous streams, including Major League Soccer matches, “Friday Night Baseball”
How to get the latest Hom…
05.19.2023
HomePod Software 16.4.1 is out. Here’s how to make sure your Apple smart speaker has the latest software version. (via Cult of Mac - Tech and culture through an Apple
How to restore an iPhone …
06.29.2023
Macworld When you move to a new iPhone you don’t want to spend ages setting everything up from scratch to get the apps, data and settings just the way you
Apple accidentally releas…
06.06.2023
The developer-only beta of iOS 17 is available to all users, seemingly by mistake.Apple announced at WWDC 2023 that a public beta, or test, release of the forthcoming iOS 17
Why Apple uses integrated…
06.28.2023
Apple's Unified Memory Architecture first brought changes to the Mac with Apple Silicon M1 chips. There are clear architectural benefits for the hardware — and it is both good and
Google’s web ad cho…
06.20.2023
Ad middleman Google kept six times the amount of money that it paid to every publisher in the world combined for hosting the ads — and the largest publisher in
Apple & Epic Games bo…
06.08.2023
Apple and Epic Games have jointly requested an appeals court to review its decision that may compel Apple to alter its payment practices within the App Store, for entirely different
Home automation standard …
05.18.2023
Matter, the new smart home standard that launched in late 2022 is getting an update, but it doesn't look like it's bringing anything new to consumers.HomePod mini and Matter logoThe
