iTunes for Windows exploit bypassed antivirus to deliver ransomware

(Image credit: Pixabay)

A zero-day vulnerability in Apple’s iTunes (and iCloud) software for Windows PCs was leveraged by malicious parties to install ransomware on those machines, while bypassing any antivirus apps.

This security hole – and subsequent particularly nasty attack – has now been patched following its disclosure to Apple by security company Morphisec.

The exploit in question relied on an “unquoted path vulnerability” which isn’t often seen, Morphisec observes, although it has been found in high-profile software before now, including the Intel Management Engine and ExpressVPN (the latter as recently as July).

As the name suggests, this vulnerability is caused by a programmer assigning a variable with a path, but failing to surround that path with quotes.

This particular security flaw is present in the Apple Software Update utility which is bundled with iTunes and iCloud, and used to deliver updates.

Danger remains

The danger of this exploit was heightened by the fact that when iTunes is uninstalled, Apple Software Update remains on the PC, and needs to be removed separately – but many folks don’t realise this, so were still vulnerable to this exploit even though they’d previously ditched iTunes.

Morphisec noted: “We were surprised by the results of an investigation that showed Apple Software Update is installed on a large number of computers across different enterprises.”

Needless to say, if you’re running iTunes or iCloud on Windows, you should ensure that you’ve updated the applications (the fix is applied in iTunes 12.10.1 for Windows and iCloud for Windows 7.14).

Apple has, of course, shut down iTunes on the Mac, but the app lives on in Windows.

Worryingly, as Ars Technica reports, Morphisec further observed that it found more vulnerabilities which have been reported to Apple, but the company hasn’t fixed them yet. Apple has only resolved this particular exploit thus far.

Morphisec previously pinned the blame for this exploit on the Bonjour updater, but in an update today, noted the following: “During revalidation of the exploit, and as we continue to work with Apple on further vulnerabilities that have yet to be patched or announced, we observed that the abused vulnerability relates specifically to an Apple Software Update component that is not associated with Bonjour.”

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).