One of the flaws that Apple patched in last week’s iTunes app for Windows update was a zero-day used to spread the BitPaymer ransomware, security company Morphisec Labs has revealed.
This alarming-sounding flaw is only briefly alluded to at the end of Apple’s release notes for iTunes version 12.10.1 as being related to Apple’s Software Updater, also used by iCloud for Windows.
According to a new blog by Morphisec, we now know it was a zero-day vulnerability used by BitPaymer to target “yet another enterprise in the automotive industry.”
The flaw itself is a rare example of an ‘unquoted path class’ described by Morphisec as:
So thoroughly documented that you would expect programmers to be well aware of the vulnerability. But that is not the case, and this Apple zero-day is evidence.
It’s certainly surprising that a company of Apple’s resources would have allowed such an old-school issue to slip through its development.
Morphisec said that the attack that deployed an exploit for the bug against an “enterprise in the automotive industry” was detected in August, a month after it published details of a larger BitPaymer campaign targeting at least 15 US organisations over the summer.
Finding a flaw in Apple Software Updater must have been gold for the cybercriminals who exploited it – as a signed application, its legitimacy would, in theory, have been a huge leg up for any attacker looking to bypass Windows security.
iTunes no more
Earlier this year, Apple announced that it was shutting down iTunes after 18 years, which will be replaced for Mac users with a range of standalone apps.
However, users who access iTunes on Windows will need to keep using (and updating) the current unloved iTunes app, for a while at least.
The updater for that – and the Windows iCloud app – is Apple Software Updater, which while bundled with iTunes for Windows is a separate program.
That means that even if a Windows user decides to de-install iTunes to avoid this and other future security flaws, Updater will remain installed. As Morphisec notes:
We were surprised by the results of an investigation that showed Apple Software Update is installed on a large number of computers across different enterprises.
Many of the computers uninstalled iTunes years ago while the Apple Software Update component remains silently, un-updated, and still working in the background.
Consequently, you need to de-install both applications to banish iTunes forever.
For Windows users who do want to keep using iTunes, fixing the flaw requires updating to iTunes version 12.10.1 (iCloud for Windows version 7.14).
antfaber
How do I update iTunes?
Paul Ducklin
If you got it from the Microsoft Store, it’s supposed to update automatically. Otherwise, go to Help → Check for Updates.
(I took that info from Apple’s official support page: https://support.apple.com/en-gb/HT201352)