Getty Images
Just as Mac users wave goodbye to iTunes with macOS Catalina, Windows users are being warned of a horrible bug that has been found in their version of the software and which has enabled malicious attacks on targeted systems. iTunes for Windows has not been replaced and so users need to update their systems right away—especially now that the issue is public. Apple patched the vulnerability on October 7.
The exploit was enabled by nothing more complicated than poor code, made worse because it was hiding in an Apple setup and evading antivirus detection. The bug was discovered and disclosed to Apple by the team at Morphisec, which described it in an October 1o blogpost as “a new and alarming evasion technique.” The team intercepted the exploit in the wild in August, with attacks on computers in the automotive industry. The disclosure was delayed until Apple released its fix.
The security flaw—an unquoted path vulnerability—impacts the Windows version of iTunes, exploiting the Bonjour updater that accompanies it. Morphisec is scathing that an unquoted path vulnerability has been captured in the wild, given that such a well-known and well-documented bug “has previously been identified by other vendors for more than 15 years.”
The bug is exactly as it sounds, occurring when a coder misses the quotes around a file path. “It is so thoroughly documented that you would expect programmers to be well aware of the vulnerability. But that is not that case, and this Apple zero-day is evidence.” What’s worse, an attacker’s ability to exploit the issue is enhanced when it hides within software from a trusted source such as Apple. Essentially, when the Apple software triggers the malware, defence mechanisms fail to kick in.
Bonjour is separate to iTunes and most people “are not aware that they need to uninstall the Bonjour component separately when uninstalling iTunes.” This means that countless machines “are left with the updater task installed and working.” As Morphisec points out, many computers uninstalled iTunes years ago, but “the Bonjour component remains silently un-updated, and still working in the background.”
The implication is this is a dangerous playing field open to various forms of attack—it is a vulnerability that users are being urged to address by tidying up their systems.
So what was the nature of the attack? According to Morphisec, it installed BitPaymer ransomware through the execution of a malicious “program” file. It is unclear how the file was pushed to the target network, although the researchers note it was not an “exe” file and likely bypassed typical antivirus techniques. The attack exploited the unquoted path, with “Bonjour trying to run from the ‘Program Files’ folder, but because of the unquoted path, it instead ran the BitPaymer ransomware named ‘Program’. This is how the zero-day was able to evade detection and bypass AV.”
Morphisec has disclosed previous BitPaymer ransomware attacks, targeting U.S. companies in both the public and private sectors this year. In an earlier blogpost, the company claims “at least 15 organizations were targeted by the threat group during this latest campaign, spanning multiple industries, including finance, agriculture and technology.” The attacks take place over weekends to optimise the available time to spread across targeted networks. The ransomware itself follows credential stealing attacks on target companies and builds on initial “footholds” in compromised systems.
Morphisec claims that it has also identified “more unquoted path vulnerabilities in the iTunes software and installer,” and has disclosed these to Apple. The team also notes that this trick “program” naming technique could also hide under different Apple system file names with the same effect.
And so the usual advice applies. Windows users should apply the Apple software updates right away, and if you have installed and then uninstalled iTunes, you should also make sure you’ve deleted the associated Bonjour files as well.
