+Warwagon MVC Posted October 14, 2019 MVC Share Posted October 14, 2019 Attackers exploit an iTunes zero-day to install ransomware Quote Apple patches actively exploited flaw that let ransomware crooks evade AV protection. Attackers exploited a zeroday vulnerability in Apple's iTunes and iCloud programs to infect Windows computers with ransomware without triggering antivirus protections, researchers from Morphisec reported on Thursday. Apple patched the vulnerability earlier this week. The vulnerability resided in the Bonjour component that both iTunes and iCloud for Windows relies on, according to a blog post. The bug is known as an unquoted service path, which as its name suggests, happens when a developer forgets to surround a file path with quotation marks. When the bug is in a trusted program—such as one digitally signed by a well-known developer like Apple—attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious. Morphisec CTO Michael Gorelik explained it this way: As many detection solutions are based on behavior monitoring, the chain of process execution (parent-child) plays a major role in alert fidelity. If a legitimate process signed by a known vendor executes a new malicious child process, an associated alert will have a lower confidence score than it would if the parent was not signed by a known vendor. Since Bonjour is signed and known, the adversary uses this to their advantage. Furthermore, security vendors try to minimize unnecessary conflicts with known software applications, so they will not prevent this behaviorally for fear of disrupting operations. Unquoted path vulnerabilities have been found in other programs, including an Intel graphics driver, the ExpressVPN, and the Forcepoint VPN. In August, Morphisec found attackers were exploiting the vulnerability to install ransomware called BitPaymer on the computers of an unidentified company in the automotive industry. The exploit allowed the attackers to execute a malicious file called "Program," which presumably was already on the target's network. Gorelik continued: https://arstechnica.com/information-technology/2019/10/attackers-exploit-an-itunes-zeroday-to-install-ransomware/?comments=1 Something to take a way from this is if you've had iTunes but uninstalled it, check to make sure Bonjour still isn't hanging around in and if it is, uninstall it. goretsky 1 Share Link to comment Share on other sites More sharing options...
Brandon H Supervisor Posted October 14, 2019 Supervisor Share Posted October 14, 2019 another reason to only install it through the Windows 10 store. say what you want about UWP packaging but the extra sandboxing is nice even for Win32 apps repackaged for the store Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted October 14, 2019 Author MVC Share Posted October 14, 2019 56 minutes ago, Brandon H said: another reason to only install it through the Windows 10 store. say what you want about UWP packaging but the extra sandboxing is nice even for Win32 apps repackaged for the store It also install's in under 10 seconds. Dick Montage and Brandon H 2 Share Link to comment Share on other sites More sharing options...
.thumb.jpg.958469f789995895cc0de1fb3c106d00.jpg)
Recommended Posts