Update now! Windows users targeted by iTunes Software Updater zero-day – Naked Security


One of the flaws that Apple patched in last week’s iTunes app for Windows update was a zero-day used to spread the BitPaymer ransomware, security company Morphisec Labs has revealed.

This alarming-sounding flaw is only briefly alluded to at the end of Apple’s release notes for iTunes version 12.10.1 as being related to Apple’s Software Updater, also used by iCloud for Windows.

According to a new blog by Morphisec, we now know it was a zero-day vulnerability used by BitPaymer to target “yet another enterprise in the automotive industry.”

The flaw itself is a rare example of an ‘unquoted path class’ described by Morphisec as:

So thoroughly documented that you would expect programmers to be well aware of the vulnerability. But that is not the case, and this Apple zero-day is evidence.

It’s certainly surprising that a company of Apple’s resources would have allowed such an old-school issue to slip through its development.

Morphisec said that the attack that deployed an exploit for the bug against an “enterprise in the automotive industry” was detected in August, a month after it published details of a larger BitPaymer campaign targeting at least 15 US organisations over the summer.

Finding a flaw in Apple Software Updater must have been gold for the cybercriminals who exploited it – as a signed application, its legitimacy would, in theory, have been a huge leg up for any attacker looking to bypass Windows security.