Security firm Morphisec identified a zero-day bug in Apple’s Software Update utility that comes packaged with iTunes for Windows. The flaw allowed attackers to install ransomware on vulnerable machines.
Apple Programmers Make Coding Error
According to the researchers, the attackers used an "unquoted path" to install ransomware and remain undetected. An unquoted service path vulnerability is created when a service has an executable path with spaces and isn’t enclosed within quotes. This often happens when the developer forgets to enclose the file path within the quotation marks.
The attackers abused this flaw to create malicious child processes underneath trusted and digitally-signed parent processes. This allowed them to bypass antivirus protection because this sort of behavior isn’t generally regarded as unsafe by antivirus vendors due to all the potential false alarms it could otherwise create.
The unquoted path bug is not often seen in the wild, but it’s been found in other popular pieces of software, too, such as Intel’s graphics driver, ExpressVPN, and ForcePointVPN. The reason it doesn’t often happen is because programmers are usually well aware of it. However, the flaw somehow landed in one of Apple’s most used software libraries.
Apple also repeated one of Zoom’s recent mistakes, and that is to leave the update utility installed on users’ machines, even if the users uninstall the main software. The researchers found that although the iTunes software had been uninstalled on many machines years ago, the update utility remained, thus leaving users exposed to this sort of zero-day attack.
Bug Exploited In The Wild To Install BitPaymer Ransomware
The bug isn’t just theoretical, as the Morphisec researchers found the attackers were using it to install the BitPaymer ransomware on the Windows machines of an unidentified automotive company as recently as this August.
The exploit allowed attackers to execute a malicious file called "Program," which may have already existed on the automotive company’s network. The file didn’t use an .exe extension, which also allowed it to avoid antivirus scanners.
Apple’s update utility was attempting to run from “Program Files,” but instead it ran the malicious "Program" file, because Apple didn’t enclose its software’s file path within quotation marks.
Morphisec notified Apple immediately about the bug in August. The company patched the flaw on Monday in both iTunes 12.10.1 for Windows and iCloud for Windows 7.14. Morphisec complained on its website that Apple has yet to patch other similar bugs that the security firm has already reported to Apple.