iTunes and iCloud vulnerability allowed Windows ransomware to be installed undetected

itunes on Windows
itunes on Windows (Image credit: iMore)

What you need to know

  • A zero-day vulnerability in iTunes and iCloud for Windows allowed ransomware to be installed on Windows PCs undetected.
  • Unquoted service path allowed hackers to run malicious apps that wouldn't trigger antivirus software.
  • Vulnerability was actively being exploited to run ransomware BitPaymer.

A report from Cybersecurity company Morphisec via ArsTechnica has revealed how a zero-day vulnerability in iTunes and iCloud for Windows allowed hackers to infect Windows computers with ransomware without triggering antivirus software.

According to the report:

The vulnerability resided in the Bonjour component that both iTunes and iCloud for Windows relies on, according to a blog post. The bug is known as an unquoted service path, which as its name suggests, happens when a developer forgets to surround a file path with quotation marks. When the bug is in a trusted program—such as one digitally signed by a well-known developer like Apple—attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious.In August, Morphisec found attackers were exploiting the vulnerability to install ransomware called BitPaymer on the computers of an unidentified company in the automotive industry. The exploit allowed the attackers to execute a malicious file called "Program," which presumably was already on the target's network.Gorelik said that Morphisec "immediately" notified Apple of the active exploit upon finding it in August. On Monday, Apple patched the vulnerability in both iTunes 12.10.1 for Windows and iCloud for Windows 7.14. Windows users who have either application installed should ensure the automatic updates worked as they're supposed to. In an email, Gorelik said his company has reported additional vulnerabilities that Apple has yet to patch. Apple representatives didn't respond to an email seeking comment for this post.

Whilst the exploit was patched on Monday in iTunes 12.10.1 and iCloud 7.14 for Windows, anyone who has installed and then uninstalled iTunes on Windows could still be a risk, due to the fact that Bonjour is not automatically removed. Morphisec CTO Michael Gorelik wrote:

"In most cases, people are not aware that they need to uninstall the Bonjour component separately when uninstalling iTunes. Because of this, machines are left with the updater task installed and working. We were surprised by the results of an investigation that showed the Bonjour updater is installed on a large number of computers across different enterprises...Many of the computers uninstalled iTunes years ago while the Bonjour component remains silently, un-updated, and still working in the background."

According to Morphisec, Apple has not fixed all of the vulnerabilities it reported, only the one that was "abused by the attackers". Morphisec also states that it did not publish the vulnerability until the update was released to fix the problem, and that it "prevented the attack before any damage could have been caused."

The news comes in wake of analyst predictions that hacks targeted at Apple products and software are likely to increase as Apple expands its reach. In the meantime, users of iTunes and iCloud can steer clear of this latest exploit by updating to the latest release of both.

Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.

Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9

  • Once you go Mac, you'll never go back!!!! Sorry........couldn't resist.
  • I went more Unix as Apple is too locked down and less "think different" now a days. Want to see your photos inside the iPhoto "blob"? Why would you need to do that, don't worry about alt+clicking it... Want to install an adblocker? We need you to login to the Mac App Store now because there's no need, but **** you that's why. Want an actual keyboard with travel? Nah, **** you that's why. Want a user removable HDD if your Mac dies before backing up? Nah, your data is gone, **** you that's why.
  • macOS is hardly locked down outside of being limited to Apple hardware (unless you make a Hackintosh). The iPhoto "blob" contains a lot of extra info about your photos, if you want them individually just drag them out of the photo library. If you want an Adblocker on Safari, then yes you use the Mac App Store, a pretty logical place for Safari extensions, otherwise you can simply just install another browser. If you're using a desktop Mac you can get whatever keyboard you like, it doesn't really make sense for Apple to do different MacBook models with different keyboards, they're probably going to go back to having one with more travel anyway since they've given up on the butterfly mechanic. I agree with you on the removable/replaceable parts, always important to back up whenever possible though, try to have your backups happen on saving a file rather than periodically
  • Wait... Did you post an article without saying how the attack is implemented? If it's Bonjour, you have to be on a random WiFi? Or have the attacker on your WiFi?