Windows ransomware was installed undetected using zero-day iTunes exploit

Apple has since patched the exploit

What you need to know

• A zero-day vulnerability in iTunes and iCloud for Windows allowed ransomware to be installed on Windows PCs undetected.
• Unquoted service path allowed hackers to run malicious apps that wouldn't trigger antivirus software.
• Vulnerability was actively being exploited to run ransomware BitPaymer.

A report from Cybersecurity company Morphisec via ArsTechnica has revealed how a zero-day vulnerability in iTunes and iCloud for Windows allowed hackers to infect Windows computers with ransomware without triggering antivirus software.

According to the report:

The vulnerability resided in the Bonjour component that both iTunes and iCloud for Windows relies on, according to a blog post. The bug is known as an unquoted service path, which as its name suggests, happens when a developer forgets to surround a file path with quotation marks. When the bug is in a trusted program—such as one digitally signed by a well-known developer like Apple—attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious.

In August, Morphisec found attackers were exploiting the vulnerability to install ransomware called BitPaymer on the computers of an unidentified company in the automotive industry. The exploit allowed the attackers to execute a malicious file called "Program," which presumably was already on the target's network.

Gorelik said that Morphisec "immediately" notified Apple of the active exploit upon finding it in August. On Monday, Apple patched the vulnerability in both iTunes 12.10.1 for Windows and iCloud for Windows 7.14. Windows users who have either application installed should ensure the automatic updates worked as they're supposed to. In an email, Gorelik said his company has reported additional vulnerabilities that Apple has yet to patch. Apple representatives didn't respond to an email seeking comment for this post.

Whilst the exploit was patched on Monday in iTunes 12.10.1 and iCloud 7.14 for Windows, anyone who has installed and then uninstalled iTunes on Windows could still be a risk, due to the fact that Bonjour is not automatically removed. Morphisec CTO Michael Gorelik wrote:

"In most cases, people are not aware that they need to uninstall the Bonjour component separately when uninstalling iTunes. Because of this, machines are left with the updater task installed and working. We were surprised by the results of an investigation that showed the Bonjour updater is installed on a large number of computers across different enterprises...Many of the computers uninstalled iTunes years ago while the Bonjour component remains silently, un-updated, and still working in the background."

According to Morphisec, Apple has not fixed all of the vulnerabilities it reported, only the one that was "abused by the attackers". Morphisec also states that it did not publish the vulnerability until the update was released to fix the problem, and that it "prevented the attack before any damage could have been caused."

The news comes in wake of analyst predictions that hacks targeted at Apple products and software are likely to increase as Apple expands its reach. In the meantime, users of iTunes and iCloud can steer clear of this latest exploit by updating to the latest release of both.