If you’re a Windows users that has iTunes installed on your machine be sure that you have the latest version (iTunes 12.12.9) installed, as the new version fixes a recently discovered security flaw.
iTunes 12.12.9 was released on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine.
iTunes 12.12.9 for Windows
Released May 23, 2023
iTunes
Available for: Windows 10 and later
Impact: An app may be able to elevate privileges
Description: A logic issue was addressed with improved checks.
CVE-2023-32353: Zeeshan Shaikh (@bugzzzhunter) – Synopsys Cybersecurity Research Center (CyRC)
iTunes
Available for: Windows 10 and later
Impact: An app may be able to gain elevated privileges
Description: A logic issue was addressed with improved checks.
CVE-2023-32351: ycdxsb of VARAS@IIE
Synopsys, the security company that discovered the problem, today shared details on how it worked.
Overview
The Synopsys Cybersecurity Research Center (CyRC) has discovered CVE-2023-32353, a local privilege escalation vulnerability in Apple iTunes on Microsoft Windows. iTunes is a software program that acts as a media player, media library, mobile device management utility, and the client app for the iTunes Store. It is developed by Apple Inc.
The application creates a privileged folder with weak access control. It is possible for a regular user to redirect this folder creation to the Windows system directory. This can then be leveraged to obtain a higher-privileged system shell.
Exploitation
The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.
Affected software
- Apple iTunes versions prior to 12.12.9
Impact
Exploitation of this vulnerability can lead to local privilege escalation on Windows, yielding system level privileges.
All versions of iTunes prior to 12.12.9 are affected by this vulnerability.