06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Bigger iPhone 15 batterie…
07.07.2023
On this week's episode of the AppleInsider Podcast, a new rumor claims that the iPhone 15 battery may be giant, Meta's Twitter-rival Threads has launched to success but also privacy
Apple Reality Pro headset…
05.22.2023
Macworld It’s looking more and more like Apple’s next big thing won’t be something that fits in your pocket or a bag. Rather it could be another wearable device–specifically an
How to back up your Mac&#…
05.20.2023
The Mac's Contacts app is incredibly useful for storing personal and work contact info. Here's how to back up your Contacts database.Contacts in macOSmacOS's Contacts app lives in the /Applications
STM Goods Portable Phone …
05.12.2023
If you've ever tried balancing your phone for FaceTime or video conferencing only to have it fall over, the STM Goods Magarm tries to be a solution to keep your
Apple files plans to buil…
06.09.2023
In the latest development for Apple moving to the Research Triangle in North Carolina, new records show Apple filed an application with Wake County to build office buildings off Louis
Apple Releases First Beta…
06.05.2023
Following today's keynote event, Apple has released the first betas of iOS 17 and iPadOS 17 to developers for testing purposes. The betas are only available for those with a
Billie Eilish is Apple Mu…
11.21.2024
Billie Eilish was announced today as Apple Music’s Artist of the Year, recognizing the singer-songwriter’s extraordinary impact throughout 2024.
Apple catches prolific le…
05.11.2023
Apple has identified Twitter user @analyst941 (and his sister, who is now an ex-Apple employee), who has of late been revealing information about unreleased Apple products, including the iPhone 14
