A zero-day vulnerability in iTunes and iCloud apps on Windows PCs enabled attackers to install ransomware without triggering antivirus protections. Ransomware encrypts the entire hard drive or SSD with a key known only to the attacker, enabling them to demand a ransom to decrypt the machine …
ArsTechnica reports that the exploit was discovered by security company Morphisec.
The vulnerability resided in the Bonjour component that both iTunes and iCloud for Windows relies on, according to a blog post. The bug is known as an unquoted service path, which as its name suggests, happens when a developer forgets to surround a file path with quotation marks. When the bug is in a trusted program—such as one digitally signed by a well-known developer like Apple—attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious.
Essentially, a bug in Apple’s apps meant that an attacker could get them to run a malicious app, while antivirus software wouldn’t check what was happening because it was apparently being done by signed Apple apps and therefore automatically flagged as ok.
Apple has patched the vulnerability in iTunes 12.10.1 for Windows and iCloud for Windows 7.14, so PC users should check they have both updates installed. Additionally, if you’ve ever run iTunes on your PC, even if you later removed it, you could still at risk.
That’s because the iTunes uninstaller doesn’t automatically remove Bonjour.
“In most cases, people are not aware that they need to uninstall the Bonjour component separately when uninstalling iTunes. Because of this, machines are left with the updater task installed and working.
We were surprised by the results of an investigation that showed the Bonjour updater is installed on a large number of computers across different enterprises. Many of the computers uninstalled iTunes years ago while the Bonjour component remains silently, un-updated, and still working in the background. Following this discovery, we identified the attack surface and the motivation of the attacker to choose this process for evasion.”
Macs are not affected, no matter which version of macOS you are running. Additionally, macOS Catalina replaces iTunes with a brand new Music app.
Morphisec says the vulnerability was being actively exploited to install ransomware called BitPaymer. It reported the issue to Apple and has disclosed details only now that the company has released updates to close the security hole.