06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Horror game ‘Layers…
05.19.2023
"Layers of Fear" is an upcoming first-person psychedelic horror game, and on launch day, it will be available with native support for Apple Silicon Mac computers."Layers of Fear"The new version
Apple releases first deve…
05.19.2023
Following the conclusion of the previous beta cycle, Apple has now made available the initial developer betas for iOS 16.6 and iPadOS 16.6.New betas for iOS and iPadOSDevelopers who are
UK man pleads guilty to h…
05.10.2023
A British man has pleaded guilty over his role in schemes to hack the Twitter accounts including Apple and Elon Musk, as well as stealing $794,000 in cryptocurrency. Abené Clayton
You can now use text prom…
06.13.2023
Artists and designers can now use text prompts in Adobe Illustrator to help explore new color palettes for their creative projects.Image Credit: AdobeGenerative Recolor, a new AI-powered recolor feature, has
Casetify reveals lineup o…
06.30.2023
Apple Vision Pro won't release until early 2024, but that hasn't stopped Casetify from showing off a preview of its accessory lineup for Apple's headset.Apple Vision Pro x CasetifyApple revealed
Apple and MLB announce Au…
07.24.2023
Apple and Major League Baseball today announced the August 2023 “Friday Night Baseball” schedule, available to all Apple TV+ subscribers.
Beats Studio Buds+ are Ap…
05.15.2023
There is a preponderance of evidence that Beats Studio Buds+ are coming soon, and the latest sign is Google featuring an image of the earbuds in its Google I/O keynote.Beats
Apple Savings Users Compl…
06.01.2023
Apple Card customers who have opted to create a high-yield Apple Savings account through Goldman Sachs have been experiencing issues attempting to withdraw their money, according to a report from
