With the release of macOS Catalina this week, so came the death of iTunes for Mac users — but not anyone still using iTunes on Windows. Instead, Apple released a fix on Monday that patches a zero-day flaw that could have allowed bad actors to invisibly install BitPaymer ransomware on Windows computers running iTunes.
The flaw was found by Morphisec, a cybersecurity firm. In a blog disclosing the bug, Morphisec identified the root of the problem was an unquoted path vulnerability in Bonjour, a program that’s bundled with iTunes that Apple uses to deliver future updates. In Windows, developers should ideally enclose an executable file within quote tags. That makes it simple for the system to find a particular file. If a path is unquoted, however, it becomes exploitable. Bad actors can then add malicious files to a service path in a way that bypasses security software. iTunes isn’t the only program featuring this vulnerability; Mophiesec pointed that the bug had been found in other programs over the past 15 years, including Intel Management Engine, ExpressVPN, and ForcePoint VPN.
In this instance, using this vulnerability, the BitPaymer ransomware was installed on computers on an unidentified automotive enterprise in August. (BitPaymer is a type of ransomware that encrypts files on an infected computer and then demands payment to regain access.)
One issue Morphisec notes is that the Bonjour utility is installed separately from iTunes. Meaning, just because you’ve uninstalled iTunes, doesn’t mean you’ve uninstalled Bonjour — that has to be done separately. As a result, Morphisec found Bonjour remained, running silently in the background, on many computers that had removed iTunes years prior.
Windows users should check that they’ve updated to iTunes 12.10.1 for Windows, as well as iCloud for Windows 7.14. And even if you’ve deleted iTunes from your computer, you should do a quick search for Bonjour and uninstall it if you haven’t. Mophiesec noted in its blog that it had disclosed several other vulnerabilities to Apple, but that this particular issue was the only one that had been fixed.