Researchers have discovered a zero-day vulnerability in iTunes that is under active exploit. They found the hackers behind the BitPaymer ransomware exploited the bug to bypass antivirus programs.
iTunes Zero-Day Vulnerability Under Attack
Researchers from Morphisec discovered a security flaw affecting iTunes. They found this iTunes zero-day under active exploitation by hackers too.
As elaborated in a blog post, an unquoted path vulnerability existed in the Bonjour updater of iTunes for Windows. Despite being well-documented, this unquoted path vulnerability escaped researchers’ attention at Apple, eventually appearing in iTunes.
Bonjour, as explained by the researchers, comes packaged with iTunes and serves as the updater. While it is installed on users’ devices whenever someone installs iTunes, it stays there even after uninstalling iTunes.
Bonjour, a mechanism that Apple uses to deliver future updates, includes one of these unquoted paths. Bonjour has its own installation entry in the installed software section and a scheduled task to execute the process.
The bug, which resided in this component, threatens a lot of devices. The attackers abused Bonjour to hijack its execution path and pointed it to BitPaymer ransomware. Though they couldn’t get admin privileges on the device, they could at least evade antivirus detections due to the legitimacy of Bonjour.
If a legitimate process signed by a known vendor executes a new malicious child process, an associated alert will have a lower confidence score than it would if the parent was not signed by a known vendor.
Apple Released Patches
Alongside the bug discussed above, researchers also found other similar vulnerabilities in iTunes software and installer. Whereas, the same Bonjour bug also affected iCloud with which it comes packaged.
Upon discovering the vulnerabilities, the researchers reported them to Apple. Following their report, Apple patched the flaws with the release of iTunes 12.10.1 for Windows and iCloud for Windows 7.14.