06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Tested: Satechi’s new 200…
05.17.2023
Earlier this year, Satechi launched its most popualr charging station to date. Brimming with 200W of GaN power, its latest USB-C offering takes on a desktop form-factor that’s outfitted with
Brydge brand & IP sol…
05.05.2023
After a promising start and well-liked products, iPad keyboard and Thunderbolt dock maker Brydge has been forced to sell its IP and brand in foreclosure, though it may still reemerge.Brydge
Apple Highlights Ways to …
05.30.2023
Ahead of WWDC, Apple is getting developers and fans hyped for the event, today highlighting some of the ways that the WWDC keynote can be watched. WWDC can be viewed
The OpenCore patcher will…
06.07.2023
The upcoming macOS Sonoma from Apple will have a different range of supported Macs compared to macOS Ventura, but the OpenCore Legacy Patcher team is working now to bring the
Younger Apple customers m…
06.07.2023
Apple has established a reputation for introducing innovative products, albeit at a premium price point, and the potentially higher cost of the Apple Vision Pro may not necessarily impede its
Here’s how you can preven…
05.30.2023
With a rise in data breaches, it’s more important than ever to protect both your personal and work information online. pCloud Pass is easy-to-use, secure cloud storage for individuals and
Your Mac screen could one…
07.03.2023
Macworld StandBy, one of a number of appealing new features in this year’s iOS 17 software update, enables iPhones to act as smart displays when plugged in and not otherwise
Apple Begins Selling Refu…
05.08.2023
Apple today started selling refurbished 14-inch and 16-inch MacBook Pro models with M2 Pro and M2 Max chips for the first time in the United States. These models launched in
