06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Apple Mac Pro Innovation:…
03.08.2024
The Mac Pro has long been a symbol of raw power and unyielding performance for creative professionals. In 2023, Apple unveiled a significant update to this iconic machine, promising a
‘World of Goo Remastered’…
05.08.2023
On Friday night, Netflix and Tomorrow Corporation announced that the remaster of “World of Goo” will hit iOS on May 23rd worldwide. Mikhail Madnani for Touch Arcade: The indie classic
USB-C AirPods Pro 2 may t…
07.02.2023
Apple's next version of the AirPods Pro equipped with USB-C will ship this fall, a report claims, and it may even help users discover hearing problems too.An AirPods Pro caseApple
Dreametech D10s Plus is a…
06.13.2023
Robot vacuum technology has dramatically improved in recent years. Gone are the days of needing to empty your smart robot halfway through every cleaning job. Instead, the best robot vacuums
The computer is a bicycle…
06.13.2023
In a recent episode of Scott Galloway’s Prof G podcast, the host walks through his view of why Vision Pro will be a net fail for society. In short, time
What’s on Apple TV+: ‘STI…
05.12.2023
Macworld Apple has planted its own flag in the streaming wars with Apple TV+, its in-house streaming service that focuses almost entirely on original programming rather than an extensive library
Meet three Swift Student …
05.01.2024
Meet Dezmond Blair, Elena Galluzzo, and Jawaher Shaman, three winners of Apple’s 2024 Swift Student Challenge.
Apple TV+ dramedy ‘…
05.18.2023
Critically acclaimed dark comedy "Physical" returns to Apple TV+ on August 2, drawing Sheila's story to a triumphant close.'Physical' season three will be its last"Physical" stars Rose Byrne and is
