06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
tvOS 17 feature roundup: …
06.09.2023
Apple's old "hobby" Apple TV 4K continues to evolve with ever more useful refinements and features, only a few of which Apple mentioned at WWDC. Here's what's coming to tvOS
Unpatchable vulnerability…
03.22.2024
Academic researchers have revealed in a paper published Thursday that a newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they
iPhone 11 Pro vs. 15 Pro:…
06.29.2023
While the iPhone 15 Pro has yet to launch, several new features have already been rumored. Following our iPhone 12 Pro vs. iPhone 15 Pro and iPhone 13 Pro vs.
Easily manage even massiv…
05.18.2023
Keep your words and research organized, even on your longest documents, with the Scrivener writing app for Mac or Windows. (via Cult of Mac - Tech and culture through an
10 missing hikers rescued…
05.17.2023
On May 12, 2023, the Ventura County Sheriff’s Office Upper Ojai Search and Rescue (SAR) Team located and came to the aid of 10 missing hikers near the “Last Chance”
iPhone 16 rumored to have…
05.22.2023
A new leak suggests iPhone 16 will get a vertical camera arrangement instead of the current diagonal cameras found in iPhone 14. It would look similar to iPhone 12.The iPhone
Apple’s $50 million butte…
05.28.2023
People who owned MacBooks with butterfly keyboards will now get paid. | Photo by Vjeran Pavic / The Verge The $50 million settlement over Apple’s bad butterfly keyboard design got
All the ways to run Windo…
05.30.2023
How can you run Windows on a Mac these days? Today, you have loads of options — even though Boot Camp itself no longer works. (via Cult of Mac -
