06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
Deals: Sonos Takes Up to …
06.02.2023
Sonos today kicked off a big sale that has up to 25 percent off select products through June 18. It's been four months since we tracked a sale on new
Apple Vision diary: Tryin…
06.29.2023
There aren’t many cases of another company charging more than Apple for a similar product, but the Varjo XR-3 mixed-reality headset is a rare example. Not having been one of
Coder keeps old MacBook P…
05.12.2023
An M1 Pro MacBook Pro handles most work, but an older Intel MacBook Pro is for Windows via Boot Camp. (via Cult of Mac - Tech and culture through an
The relocated and reimagi…
05.11.2023
We learned at the beginning of the month that the very first Apple Store outside of Washington DC was not only getting a major renovation but also a new location.
Apple TV+ cooks up drama …
06.12.2023
Antonin Carême rose from humble beginnings to the height of culinary stardom in Napoleon’s Europe, and his story is coming to Apple TV+. (via Cult of Mac - Tech and
Apple patched actively ex…
06.22.2023
Don't hold off too long on updating to iOS 16.5.1 and the other new public releases, as Apple has patched multiple security issues that were actively exploited.iMessage vulnerability patchedApple released
Apple recreates the misse…
06.22.2023
Users can now speed up the iPhone's haptic feedback thanks to a new setting in iOS 17, and at its fastest, it comes close to how the old 3D Touch
Vision Pro will turn any …
06.23.2023
Developers using Apple Vision Pro have learned they will be able to create controls and displays, and have them appear to be on any surface in the user's room.Vision Pro
