Researchers at Morphisec have uncovered a zero-day vulnerability in iTunes and iCloud that lets attackers install ransomware on Windows PCs. The infection method allowed malware to remain undetected by antivirus software.
The flaw resides in Apple’s use of Bonjour, a program it initially created for Mac that handles hostname resolution and other networking tasks. The Apple software suite contains an unquoted path vulnerability, which Morphisec describes as such:
“Software developers are using more and more object-oriented programming, and many times when assigning a variable with a path, they assume that using the String type of the variable alone is enough – well it’s not! The path still needs to be surrounded by quotes (‘\\’).”
This opens an avenue for attackers to exploit. In this case, the unquoted path was “C://Program ‘Files’…”. By naming the malware Program, attackers could run a malicious file via Apple’s service. It’s given credibility by the company’s certificate and ignored by many AV products. Additionally, as the file in question is not an exe, it’s less likely to be scanned.
Thankfully, Apple has since patched the vulnerability that the BitPaymer/IEncrypt group of malware can exploit. However, Morphisec is continuing to work with Apple on other vulnerabilities.
It also notes that the number of Windows PCs with the bonjour service installed is surprisingly high. When users uninstall iTunes, bonjour stays silently on the PC and isn’t automatically updated.
As a result, users should uninstall bonjour or download the latest version of iTunes and iCloud from Apple’s site. The vulnerabilities are particularly relevant as the company is sunsetting iTunes for Apple Music on other platforms, but keeping it on Windows. Questions have been raised about whether it will keep up the necessary security and feature support for the foreseeable future.