This article was published on October 11, 2019

Apple patches zero-day ransomware flaw in Windows version of iTunes


Apple patches zero-day ransomware flaw in Windows version of iTunes

Apple has patched a zero-day flaw in iTunes app for Windows that allowed hackers to escape detection and install BitPaymer ransomware.

The findings — disclosed by cybersecurity firm Morphisec — come as Apple killed iTunes for macOS, replacing it with Music, Podcasts, and TV apps in macOS Catalina. The app, however, will continue to function as usual on Windows.

The Cupertino-based tech giant fixed the zero-day vulnerability on October 7 with its release of iTunes 12.10.1 for Windows and iCloud for Windows 7.14 immediately after it was responsibly disclosed.

According to Morphisec, adversaries exploited an unquoted path vulnerability in Bonjour helper utility packaged along with iTunes to install the ransomware on computers of an unidentified enterprise in the automotive industry.

Given the fact that Bonjour remains installed even after uninstalling iTunes, it’s recommended that the software is manually removed from the vulnerable workstations, or the latest version of iTunes is installed to plug the flaw that’s present on an older version of Bonjour.

As the name indicates, the flaw occurs when the path to the location of a service isn’t enclosed in quotations, resulting in Windows looking for the service in every folder along the path until it finds the actual file.

In other words, if a program is located in c:\program files\sub folder 1\sub folder 2\program.exe, an attacker could exploit the lack of quotes surrounding the path string in a piece of code to execute a malicious program of their own present in another folder: c:\program files\sub folder 1\malicious program.exe.

Credit: Morphisec
The BitPaymer ransomware disguised as a ‘Program’ exploiting the unquoted path vulnerability

Notably, this path hijack flaw can be abused to gain elevated privileges, especially if the service is running as a SYSTEM user (or admin), thus making it possible to install all kinds of malware — the BitPaymer ransomware in this case.

The ransomware itself was named ‘Program’ and didn’t come with an extension such as ‘.exe’, Morphisec CTO Michael Gorelik noted, thus allowing the program to evade exposure and bypass antivirus protections. However, there were no privilege escaltions as a result of the flaw.

BitPaymer (aka iEncrypt) is known to be an aggressive variant of ransomware that encrypts not just the data files but also the apps and program files, while stopping short of tampering with the operating system.

“The BitPaymer/IEncrypt group exhibits an advanced innovative spirit,” the researchers concluded. “The group must have performed serious reconnaissance research to consistently stay one step ahead of the defenders.”

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top