• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Attackers exploit an iTunes zero-day to install ransomware

Recommended Posts

+warwagon    13,162

Attackers exploit an iTunes zero-day to install ransomware

 

Quote

 

Apple patches actively exploited flaw that let ransomware crooks evade AV protection.

 

Attackers exploited a zeroday vulnerability in Apple's iTunes and iCloud programs to infect Windows computers with ransomware without triggering antivirus protections, researchers from Morphisec reported on Thursday. Apple patched the vulnerability earlier this week.

 

The vulnerability resided in the Bonjour component that both iTunes and iCloud for Windows relies on, according to a blog post. The bug is known as an unquoted service path, which as its name suggests, happens when a developer forgets to surround a file path with quotation marks. When the bug is in a trusted program—such as one digitally signed by a well-known developer like Apple—attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious.

Morphisec CTO Michael Gorelik explained it this way:

 

As many detection solutions are based on behavior monitoring, the chain of process execution (parent-child) plays a major role in alert fidelity. If a legitimate process signed by a known vendor executes a new malicious child process, an associated alert will have a lower confidence score than it would if the parent was not signed by a known vendor. Since Bonjour is signed and known, the adversary uses this to their advantage. Furthermore, security vendors try to minimize unnecessary conflicts with known software applications, so they will not prevent this behaviorally for fear of disrupting operations.

Unquoted path vulnerabilities have been found in other programs, including an Intel graphics driver, the ExpressVPN, and the Forcepoint VPN.

 

In August, Morphisec found attackers were exploiting the vulnerability to install ransomware called BitPaymer on the computers of an unidentified company in the automotive industry. The exploit allowed the attackers to execute a malicious file called "Program," which presumably was already on the target's network.

 

Gorelik continued:

 

https://arstechnica.com/information-technology/2019/10/attackers-exploit-an-itunes-zeroday-to-install-ransomware/?comments=1

 

Something to take a way from this is if you've had iTunes but uninstalled it, check to make sure Bonjour still isn't hanging around in and if it is, uninstall it.

  • Like 1

Share this post


Link to post
Share on other sites
Brandon H    3,096

another reason to only install it through the Windows 10 store.

 

say what you want about UWP packaging but the extra sandboxing is nice even for Win32 apps repackaged for the store :)

Share this post


Link to post
Share on other sites
+warwagon    13,162
56 minutes ago, Brandon H said:

another reason to only install it through the Windows 10 store.

 

say what you want about UWP packaging but the extra sandboxing is nice even for Win32 apps repackaged for the store :)

It also install's in under 10 seconds.

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.