Apple had a zero-day flaw in iTunes and iCloud app for Windows that allowed hackers to avoid detection and install ransomware.
As disclosed by cybersecurity firm Morphisec, hackers have exploited an unquoted path in 'Bonjour' helper utility that is packaged with iTunes, and used the flaw to install ransomware on computers of an unidentified enterprise in the automotive industry.
The flaw in question happened because a path to he location of a service wasn't enclosed in quotations, due to human error on the developers' side.
As a result, the 'confused' Windows operating system will look for the service in every folder along the path until it finds the actual file.
So for example, if a program is located in c:\program files\sub folder 1\sub folder 2\program.exe, hackers could exploit the lack of quotes to execute a malicious program of their own by presenting in another folder, like c:\program files\sub folder 1\malicious program.exe.
According to the researchers at Morphisec on a blog post:
The problem escalated because this path hijack flaw could be abused to gain elevated privileges, especially if the service was running as a SYSTEM user or administrator. This made it possible for hackers to install all kinds of malware they wanted.
And in this case, the ransomware that was chosen by the hackers was BitPaymer.
Also known as iEncrypt, this ransomware is an aggressive variant, as it's able to encrypt not just the data files present on the victims' hard drive, but also apps and program files as well. The ransomware however, doesn't tamper with the operating system, in this case, was Microsoft Windows.
What's more, the program was disguised as a 'Program' but didn't come with an executable extension. This allowed the ransomware to evade exposure and bypass antivirus protections.
This happened because the bug was from a trusted program, which in this case, was one digitally signed by Apple, a well-known developer. Hackers could exploit the flaw to make the program execute code that antivirus programs won't flag as suspicious.
And what makes the finding troubling is that, people who have uninstalled iTunes using the normal uninstaller won't necessarily remove Bonjour. As a workaround, it was advised that people uninstall Bonjour manually, after uninstalling iTunes.
In an update on October 11th, the researchers at Morphisec observed that the abused vulnerability was also related specifically to an Apple Software Update component that wasn't associated with Bonjour.
Fortunately, Apple the Cupertino-based tech giant has fixed the zero-day vulnerability by releasing iTunes 12.10.1 for Windows and iCloud for Windows 7.14, immediately after it was responsibly disclosed by Morphisec .
Macs were not affected by this flaw, no matter which version of macOS users are running. The news came just as Apple killed iTunes for macOS, replacing it with Music, Podcasts, and TV apps in macOS Catalina.