9to5Mac - Friday, October 11, 2019 at 7:02 AM
Vulnerability in iTunes and iCloud allowed Windows PC ransomware infection
A zero-day vulnerability in iTunes and iCloud apps on Windows PCs enabled
attackers to install ransomware without triggering antivirus protections.
Ransomware encrypts the entire hard drive or SSD with a key known only to the
attacker, enabling them to demand a ransom to decrypt the machine …
NordVPN
ArsTechnica reports that the exploit was discovered by security company
Morphisec.
The vulnerability resided in the Bonjour component that both iTunes and iCloud
for Windows relies on, according to a blog post. The bug is known as an
unquoted service path, which as its name suggests, happens when a developer
forgets to surround a file path with quotation marks. When the bug is in a
trusted program—such as one digitally signed by a well-known developer like
Apple—attackers can exploit the flaw to make the program execute code that AV
protection might otherwise flag as suspicious.
Essentially, a bug in Apple’s apps meant that an attacker could get them to run
a malicious app, while antivirus software wouldn’t check what was happening
because it was apparently being done by signed Apple apps and therefore
automatically flagged as ok.
Apple has patched the vulnerability in iTunes 12.10.1 for Windows and iCloud
for Windows 7.14, so PC users should check they have both updates installed.
Additionally, if you’ve ever run iTunes on your PC, even if you later removed
it, you could still at risk.
That’s because the iTunes uninstaller doesn’t automatically remove Bonjour.
“In most cases, people are not aware that they need to uninstall the Bonjour
component separately when uninstalling iTunes. Because of this, machines are
left with the updater task installed and working.
We were surprised by the results of an investigation that showed the Bonjour
updater is installed on a large number of computers across different
enterprises. Many of the computers uninstalled iTunes years ago while the
Bonjour component remains silently, un-updated, and still working in the
background. Following this discovery, we identified the attack surface and the
motivation of the attacker to choose this process for evasion.”
Macs are not affected, no matter which version of macOS you are running.
Additionally, macOS Catalina replaces iTunes with a brand new Music app.
Morphisec says the vulnerability was being actively exploited to install
ransomware called BitPaymer. It reported the issue to Apple and has disclosed
details only now that the company has released updates to close the security
hole.
Photo: Shutterstock
https://9to5mac.com/2019/10/11/vulnerability-in-itunes/
David Goldfield
Assistive Technology Specialist
Feel free to visit my Web site
WWW.DavidGoldfield.info
