Hackers use zero-day flaw in Apple iTunes to install ransomware

News by Rene Millman

Zero-day vulnerability in Apple iTunes for Windows allows hackers to bypass antivirus detection on Windows devices

Security researchers have discovered a zero-day vulnerability in Apple iTunes for Windows that allows hackers to bypass antivirus detection on Windows devices. 

According to a blog post by researchers at Mophisec, the exploit has allowed criminals to install BitPaymer/IEncrypt ransomware on systems and said the iTunes flaw was a "new and alarming evasion technique".

The flaw exists in the Apple Software Update utility that comes packaged with iTunes for Windows.

"The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future," said researchers.

Malicious actors have abused an unquoted path to maintain persistence and evade detection, noted the researchers. The unquoted path vulnerability is rarely seen in the wild, yet it is a well-known bug that has previously been identified by other vendors for more than 15 years, they said.

"Software developers are using more and more object-oriented programming, and many times when assigning a variable with a path they assume that using the String type of the variable alone is enough – well it's not! The path still needs to be surrounded by quotes ("\\")," researchers added.

This error allows hackers to launch the Apple Software Update and take advantage of its execution path to point it to their ransomware instead. This bypasses detection by antivirus software.

"If a legitimate process signed by a known vendor executes a new malicious child process, an associated alert will have a lower confidence score than it would if the parent was not signed by a known vendor," said researchers.

"Since Apple Software Update is signed and known, the adversary uses this to their advantage. Furthermore, security vendors try to minimise unnecessary conflicts with known software applications, so they will not prevent this behaviour for fear of disrupting operations."

Researchers warned that many users may have deleted iTunes from their systems but not the Software Update program. 

"We were surprised by the results of an investigation that showed Apple Software Update is installed on a large number of computers across different enterprises. Many of the computers uninstalled iTunes years ago while the Apple Software Update component remains silent, un-updated, and still working in the background," said researchers.

Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that there will always be some kind of malware that bypasses standard detection controls. 

"This is why it's important to not just have layered defences but have detection controls which look at heuristics and behaviours of software and network traffic to identify anomalies," he said.

Windows is a second-class citizen for the Apple ecosystem, commented Pascal Geenens, Radware EMEA security evangelist. 

"I would suspect that these applications get a second-class treatment as well, in terms of effort and focus. It makes for a good place for malware authors to hunt for vulnerabilities that could slingshot their malicious code into higher privileges," he told SC Media UK.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews