06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
How to Lock Specific iPho…
05.05.2023
In the interests of enhanced privacy, some third-party iOS apps include an option to require passcode or Face ID authentication before they can be opened, even though the iPhone is
Samsung abandons plans to…
05.19.2023
Samsung has decided to stop its internal assessment that explored the possibility of switching the default search engine on its smartphones to Microsoft's Bing.Samsung continues with GoogleOpenAI's technology has been
Apple now selling refurbi…
05.24.2023
Apple has started selling its most affordable Apple Silicon-powered Mac at an even lower price. The M2 Mac mini, which was released back in January starting at $599, is now
Fake ‘Trezor Wallet’ Bitc…
06.22.2023
One of Apple’s key arguments in favor of making the App Store the only way to download apps on iOS is the app review process, which ensures that users are
Comment: Apple Store tips…
05.04.2023
Whether you are for or against the unionization of Apple’s retail stores, I think few would begrudge the staff many of the things they are seeking. But the call for
Apple Pay announces exclu…
06.08.2023
Just in time for Father's Day promotions, Apple and select retailers are offering incredible deals and discounts exclusively for Apple Pay users.Image credit: AppleAs part of this promotion, Apple Pay
Deals: AirPods Max $99 of…
06.13.2023
All of today’s best deals are now headlined by a chance to save on AirPods Max at $99 off. No refresh at WWDC means that these are and will still
Everything New With CarPl…
06.21.2023
Apple is introducing new functionality for almost every iPhone app and feature with iOS 17, and CarPlay hasn't been left out. We haven't seen the total overhaul of CarPlay that
