A high-severity vulnerability has been discovered in Apple’s iconic iTunes program that could allow threat actors to escalate privileges locally, essentially giving them the keys to the kingdom.
Cybersecurity researchers from Synopsys outlined the flaw in the Windows version of the multimedia hub, explaining that the app creates a privileged folder with weak access controls.
As a result, a threat actor (in this case, a regular user without any elevated privileges) can redirect this folder creation to the Windows system directory, and then use the folder to obtain a higher-privileged system shell.
High severity iTunes flaw
“The iTunes application creates a folder, SC Info, in the C:ProgramDataApple ComputeriTunes directory as a system user and gives full control over this directory to all users,” the researchers explained. “After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.”
The flaw is now tracked as CVE-2023-32353, affecting iTunes versions prior to 12.12.9. It has a severity score of 7.8 and is deemed “high severity”.
Apple has been hard at work lately remedying a number of high-severity vulnerabilities across its ecosystem.
Microsoft recently reported finding a major bug in macOS, dubbed Migraine which could have allowed threat actors with root privileges to bypass System Integrity Protection, giving them the ability to install “undeletable” malware.
Furthermore, the flaw allows threat actors to work around Transparency, Consent, and Control (TCC) feature, and access sensitive data. The bug has since been patched across the Apple ecosystem, with users told to apply the fix as soon as they can.
Also, less than a month ago, the company announced fixing two zero-day vulnerabilities that were apparently being abused in the wild to target iPhone, Mac, and iPad endpoint users. The flaws enabled threat actors to take full control over the vulnerable devices, it was said.