Vulnerability in iTunes and iCloud allowed ransomware on Windows PCs

A zero-day vulnerability in iTunes and iCloud apps on Windows PCs enabled attackers to install ransomware without triggering antivirus protections. Ransomware encrypts the entire hard drive or SSD with a key known only to the attacker, enabling them to demand a ransom to decrypt the machine…

ArsTechnica reports that the exploit was discovered by security company Morphisec.

The vulnerability resided in the Bonjour component that both iTunes and iCloud for Windows relies on, according to a blog post. The bug is known as an unquoted service path, which as its name suggests, happens when a developer forgets to surround a file path with quotation marks. When the bug is in a trusted program — such as one digitally signed by a well-known developer like Apple — attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious.

Essentially, a bug in Apple’s apps meant that an attacker could get them to run a malicious app, while antivirus software wouldn’t check what was happening because it was apparently being done by signed Apple apps and therefore automatically flagged as ok.

Apple has patched the vulnerability in iTunes 12.10.1 for Windows and iCloud for Windows 7.14, so PC users should check they have both updates installed. Additionally, if you’ve ever run iTunes on your PC, even if you later removed it, you could still be at risk.

That’s because the iTunes uninstaller doesn’t automatically remove Bonjour.

“In most cases, people are not aware that they need to uninstall the Bonjour component separately when uninstalling iTunes. Because of this, machines are left with the updater task installed and working.

We were surprised by the results of an investigation that showed the Bonjour updater is installed on a large number of computers across different enterprises. Many of the computers uninstalled iTunes years ago while the Bonjour component remains silently, un-updated, and still working in the background. Following this discovery, we identified the attack surface and the motivation of the attacker to choose this process for evasion.”

Macs are not affected, no matter which version of macOS you are running. Additionally, macOS Catalina replaces iTunes with a brand new Music app.

Morphisec says the vulnerability was being actively exploited to install ransomware called BitPaymer. It reported the issue to Apple and has disclosed details only now that the company has released updates to close the security hole.

FTC: We use income earning auto affiliate links. More.

Apple iPhone 11 case deals on Amazon

Photo: Shutterstock

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear