06.02.2023
Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple
Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.
iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.
Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.
Related Forum: Mac Apps
This article, "PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability" first appeared on MacRumors.com
Discuss this article in our forums
You may also be interested in this
With iPhone divorce in fu…
05.03.2023
Qualcomm is counting down the days to when it loses Apple as a modem customer, guiding weak for Q3 as orders slow.Qualcomm may lose Apple's businessThe second quarter results for
Apple previews iPadOS 17
06.05.2023
iPadOS 17 delivers the most personal and capable iPad experience ever, with a beautiful and useful Lock Screen, easier ways to find and share information, and intelligent new features to
If Apple Designed a Turnt…
07.07.2023
Former Apple design chief Sir Jony Ive has revealed his latest project, a collaboration with British audio brand Linn to design a 50th anniversary edition of its Sondek LP12 turntable.
Apple subreddit reopens a…
06.16.2023
The Apple subreddit has reopened under duress after a protest about API fees was squashed by threats from the company's CEO to remove the moderation teams of closed subreddits.Reddit coerces
BofA analyst: Apple’s WWD…
05.25.2023
Apple is expected to debut a mixed-reality headset at WWDC 2023 on June 5th, and while initial sales are expected to be limited, a BofA analyst says the launch could
Apple looking to hire mac…
05.19.2023
Apple has to deal with the "AI race" just like every other tech company, which means it has to hire talent to help shape what that means for the company
Apple sued by actor Brent…
05.29.2023
A former "Deadwood" actor is suing Apple because he alleges the company rescinded a job offer over a COVID-19 vaccination mandate.Brent Sexton in 'The Killing', copyright: AMC 2010According to the
How to use your iPad Pro …
06.20.2023
When Apple introduced the all-new stage manager and extended monitor support for the M-powered iPads, I had one thought: Can I use my iPad in clamshell mode? With a more
