06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Apple to Sunset iTunes Mo…
08.11.2023
Apple is sunsetting its long-running iTunes Movie Trailers app as it begins hosting movie trailers exclusively in the company's flagship TV app, MacRumors can reveal. Hints of Apple's plan first
How to use the new Apple …
06.27.2023
In keeping with most of macOS Sonoma, Apple has only added minor updates to using PDFs in Notes — but you'll never want to go back.Apple Notes is a good
EU regulators ramp up pro…
05.10.2023
European Union officials continue to scrutinize Apple for its restrictions on the NFC antenna used for Apple Pay, a practice the European Commission dubbed anti-competitive.Apple PayThe European Commission, which oversees
WWDC 2023 Recap: Everythi…
06.06.2023
Apple today held the WWDC 2023 keynote event that saw the introduction of the Apple Vision Pro headset, the 15-inch MacBook Air, new versions of the Mac Pro and Mac
How to get the official C…
05.18.2023
Scammers have flooded the App Store with fake or buggy ChatGPT apps, but OpenAI has recently launched an official version with capabilities to handle text and speech queries. Here's where
How could Apple shape the…
07.08.2024
In the ever-evolving landscape of technology and innovation, Apple stands at the forefront, setting trends and influencing industries. As the company continues to chart new territories, the role of its
Apple @ Work: TP-Link’s O…
05.20.2023
Apple @ Work is brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that fully integrates 5 different applications on a single Apple-only platform, allowing
Apple rolls out Release C…
09.13.2023
Soon after Apple announced additions to the iPhone and Apple Watch lineup at its “Wonderlust” event, they started… The post Apple rolls out Release Candidate version of watchOS 10 appeared
