Apple iTunes has a serious security flaw you really should know about
Hackers could use iTunes to create a system folder with high privileges
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A high-severity vulnerability has been discovered inApple’s iconic iTunes program that could allow threat actors to escalate privileges locally, essentially giving them the keys to the kingdom.
Cybersecurity researchers fromSynopsysoutlined the flaw in the Windows version of the multimedia hub, explaining that the app creates a privileged folder with weak access controls.
As a result, a threat actor (in this case, a regular user without any elevated privileges) can redirect this folder creation to the Windows system directory, and then use the folder to obtain a higher-privileged system shell.
High severity iTunes flaw
“The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users,” the researchers explained. “After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing anMSIrepair, which can be later used to gain Windows SYSTEM level access.”
The flaw is now tracked as CVE-2023-32353, affecting iTunes versions prior to 12.12.9. It has a severity score of 7.8 and is deemed “high severity”.
Apple just patched a pair of dangerous iOS and macOS security issues, so update now>There’s a major new security update for iOS and macOS, so update now>Here’s our list of the best firewalls today
Apple has been hard at work lately remedying a number of high-severity vulnerabilities across its ecosystem.
Microsoftrecently reported findinga major bug in macOS, dubbed Migrainewhich could have allowed threat actors with root privileges to bypass System Integrity Protection, giving them the ability to install “undeletable”malware.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Furthermore, the flaw allows threat actors to work around Transparency, Consent, and Control (TCC) feature, and access sensitive data. The bug has since been patched across the Apple ecosystem, with users told to apply the fix as soon as they can.
Also, less than a month ago, the company announced fixing two zero-day vulnerabilities that were apparently being abused in the wild to target iPhone, Mac, and iPad endpoint users. The flaws enabled threat actors to take full control over the vulnerable devices, it was said.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case
