06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Going to WWDC? Meet Up Wi…
05.31.2023
Apple's Worldwide Developers Conference is kicking off next Monday, and starting later this week, developers who have been invited to attend in person will be catching flights to get to
Visual Look Up is getting…
06.29.2023
Macworld When Apple launched iOS 15 back in 2021, the updated software included a new feature in Photos called Visual Look Up. This neat AI-powered tool can recognize animals, plants,
Apple Support App updated…
08.22.2023
Apple has recently updated its Apple Support App to now display Detailed Information on Nearby Locations in order… The post Apple Support App updated with Detailed Information on Nearby Locations
Inside Apple Tysons Corne…
05.19.2023
Tysons Corner was the location of the very first Apple Store to open, and on its 22-year anniversary it opens again in a larger venue. Here's what it looks like
TSMC thinking about movin…
05.18.2023
Chip manufacturers, including Apple supplier TSMC, have begun considering moving a portion of their manufacturing to Japan as US/China tensions continue to escalate.Credit: Taiwan Semiconductor Manufacturing Co.Seven chipmakers have met
Apple TV+ hits all-time v…
05.19.2023
Powered by its flagship awards-magnet series “Ted Lasso,” new dystopian drama breakout “Silo,” and Jennifer Garner-fronted limited series “The Last Thing He Told Me,” Apple TV+ viewership has been hitting
Hands-on: Skullcandy laun…
05.16.2023
Skullcandy today is launching its latest pair of ANC headphones. The new Crusher ANC 2 deliver Skullcandy’s latest over-ear designs that on top of delivering stables like active noise cancellation,
Five brand new Apple prod…
05.26.2023
Macworld With less than two weeks to go until WWDC, the rumors are beginning to paint a picture of a jam-packed show, with a major watchOS refresh, some of our
