06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Using macOS Disk Utility:…
06.13.2023
There are a few final useful utilities in Apple's Disk Utility you may not be aware of. Here's how to use them the continued exploration of the macOS tool.In the
Apple’s Beats Studi…
06.20.2023
Apple's upcoming Beats Studio Pro headphones today showed up in FCC filings, which means we are getting closer to a potential launch date. Apple has not yet acknowledged the Beats
Apple releases macOS Vent…
05.18.2023
Apple has released the update for macOS Ventura 13.4 to the public, in one of the last updates expected before WWDC.The latest release follows after just two beta cycles, with
Solid-state iPhone 15 but…
05.05.2023
By this point, it was already a near-certainty that Apple had canceled plans for the anticipated solid-state iPhone 15 Pro volume buttons. However, if we needed any further convincing, it
Should you be concerned a…
06.02.2023
Apple’s Reality Pro headset is almost upon us, and Mark Gurman at Bloomberg has shared an interesting new tidbit. According to Gurman, Apple will provide warnings about using the mixed
Final Cut Pro & Logic…
05.12.2023
Final Cut Pro and Logic Pro officially come to iPad, hands-on with iPhone 15 and 15 Pro dummy models, AI's prominent role at Google I/O, and what it means for
Apple Watch Pride collect…
06.11.2023
The Apple Watch has been one of the top Apple products to receive multiple LGBTQ+-inspired accessories and watch faces throughout the years. Here's a look at different pride-inspired styles Apple
Everything New in iOS 17 …
06.22.2023
Apple today released the second beta of upcoming iOS 17 and iPadOS 17 updates to developers for testing purposes, and like all new betas for a major point update, the
