14 DAY TRIAL // A zero-day security flaw in the Windows versions of Apple’s iTunes and iCloud apps allowed hackers to bypass antivirus protection and install ransomware called BitPaymer.
Security company Morphisec explains that the vulnerability was discovered in a component included in the Apple Software Update service and which both iTunes and iCloud use on Windows.
The so-called unquoted service path made it possible for malicious actors to sneakily get into a Windows computer by avoiding detection using the vulnerable software. The attackers were able to execute code on behalf of iTunes and iCloud, both of which are digitally signed by Apple, so antivirus protection could fail to flag the malicious payloads as dangerous.
Once the ransomware infection compromises a Windows host, access to locally-stored files is blocked, and users are required to pay for a decryption key to regain access to their data.
Patches already available
More worrying is that the vulnerability also affects Windows computers where iTunes and iCloud have already been removed. The Apple Software Update component is left behind even after these two apps are uninstalled, and Morphisec warns that this makes a substantial number of devices vulnerable to attacks.
“In most cases, people are not aware that they need to uninstall the Apple Software Update component separately when uninstalling iTunes,” Morphisec notes.
“Because of this, machines are left with the updater task installed and working. We were surprised by the results of an investigation that showed Apple Software Update is installed on a large number of computers across different enterprises. Many of the computers uninstalled iTunes years ago while the Apple Software Update component remains silently, un-updated, and still working in the background.”
Apple has already patched the vulnerability with iTunes 12.10.1 for Windows and iCloud for Windows 7.14, and users are recommended to update as soon as possible.
Needless to say, macOS devices aren’t affected, and computers upgraded to macOS Catalina are fully secure as iTunes is no longer offered after Apple replaced it with a dedicated Music app.