News

Be Sure to Update Windows Version of iTunes to Fix Security Vulnerability

If you’re a Windows users that has iTunes installed on your machine be sure that you have the latest version (iTunes 12.12.9) installed, as the new version fixes a recently discovered security flaw.

iTunes 12.12.9 was released on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine.

iTunes 12.12.9 for Windows

Released May 23, 2023

iTunes

Available for: Windows 10 and later

Impact: An app may be able to elevate privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32353: Zeeshan Shaikh (@bugzzzhunter) – Synopsys Cybersecurity Research Center (CyRC)

iTunes

Available for: Windows 10 and later

Impact: An app may be able to gain elevated privileges

Description: A logic issue was addressed with improved checks.

CVE-2023-32351: ycdxsb of VARAS@IIE

Synopsys, the security company that discovered the problem, today shared details on how it worked.

Overview

The Synopsys Cybersecurity Research Center (CyRC) has discovered CVE-2023-32353, a local privilege escalation vulnerability in Apple iTunes on Microsoft Windows. iTunes is a software program that acts as a media player, media library, mobile device management utility, and the client app for the iTunes Store. It is developed by Apple Inc.

The application creates a privileged folder with weak access control. It is possible for a regular user to redirect this folder creation to the Windows system directory. This can then be leveraged to obtain a higher-privileged system shell.

Exploitation

The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.

Affected software

  • Apple iTunes versions prior to 12.12.9

Impact

Exploitation of this vulnerability can lead to local privilege escalation on Windows, yielding system level privileges.

All versions of iTunes prior to 12.12.9 are affected by this vulnerability.

Chris Hauk

Chris is a Senior Editor at Mactrast. He lives somewhere in the deep Southern part of America, and yes, he has to pump in both sunshine and the Internet.