iTunes for Windows Zero-Day Exploited for Ransomware

Apple iTunes included a really dumb bug, which ransomware gangs have been using to attack victims’ Windows PCs. Not only that, but the vulnerability sticks around even if you uninstall iTunes.

It’s probably also there if you’ve ever installed Safari. It’s in the Bonjour service.

In the whatnow service? Well, quite.

So patch now—or just uninstall it. In today’s SB Blogwatch, we wave goodbye.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mariotap.


Say ‘Au Revoir’ to Bonjour

What’s the craic? Elizabeth Montalbano reports—“Attackers exploit an “unquoted path” flaw”:

 Bad actors are actively targeting a vulnerability in the Windows version of Apple iTunes to deliver BitPaymer/iEncrypt ransomware. … Researchers from Morphisec Labs in August identified the abuse [and] disclosed the attack to Apple, which has recently patched the flaw.

A combined BitPaymer/iEncrypt [ransomware] attack is exploiting the recently patched bug. [It] exploits an unquoted path vulnerability in Bonjour, which is software that organizations may not even know is running on their systems. … Even if a system uninstalled iTunes years ago, the Bonjour component remains silently un-updated and still working in the background.

And Dan Goodin adds, “Attackers exploit an iTunes zeroday”:

 The bug … as its name suggests, happens when a developer forgets to surround a file path with quotation marks. When the bug is in a trusted program—such as one digitally signed by a well-known developer like Apple—attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious.

Anyone who has ever installed and later uninstalled iTunes should inspect their PCs. … That’s because the iTunes uninstaller doesn’t automatically remove Bonjour.

Morphisec CTO Michael Gorelik … described Bonjour as “a mechanism that Apple uses to deliver future updates.” Apple [says] it’s a service Apple applications use to find shared music libraries and other resources on a local network. … Gorelik said Bonjour serves both functions.

If true, that’s naughty of Apple. Gorelik is also critical of Apple’s software engineering chops—“Apple zero-day exploited”:

 The unquoted path vulnerability is rarely seen in the wild, yet it is a well-known bug that has previously been identified by other vendors for more than 15 years. … It is so thoroughly documented that you would expect programmers to be well aware of the vulnerability.

In this scenario, Bonjour was trying to run from the “Program Files” folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named “Program”. … The Bonjour updater is installed on a large number of computers across different enterprises. Many of the computers uninstalled iTunes years ago.

And it’s not just him. @SecurityAura checks the date:

 Unquoted Service Path from a major tech vendor in 2019. Are they for real?

So Frosty Grin twists the knife:

 I’ve always found it annoying that iTunes uninstaller doesn’t uninstall everything. But now it’s a security risk too.

Another reason to ditch iTunes? Especially if you’re a penguinista, like @memerothh:

 It shocked me how well idevicebackup2 works on Linux. Zero need for iTunes.

Think yourself lucky you’re not on the new macOS Catalina. So says Philipp Defner—“Apple ruined iTunes”:

 I didn’t exactly love iTunes during the last few iterations but … it was still the same old — powerful — iTunes under the hood. … Until today, when I switched … to Catalina and Music.app messing up my library.

It wasn’t opening it any more and was asking for the “Library File”. After looking into the directory … I only saw years of different iTunes libraries, directories for Podcasts, Audio-books, iTunes libraries from 2011 and other cruft. … On top of that my trusted last.fm scrobbler NepTunes stopped working.

But Kiddluck thinks it’s partially Microsoft’s fault (because appcompat):

 Both Microsoft and and Apple are at fault, though the former to a lesser degree. … Parts of the directory path are split and set as variables given that MS still has full support for both 32 & 64 bit applications. This might have been able to be set statically if MS had the luxury of dropping legacy support [like] Apple.

As far as Apple: It’s a honest typo. Granted, one with severe consequences when actively exploited.

Regarding Bonjour: Yes it could be better implemented and supported on Windows. … I wish more things on the windows side “Just worked” like Bonjour’s zero-conf aspects.

Meanwhile, Quick2Click is quick to consider the bug-bounty possibilities:

 They could’ve made an easy quarter million dollars.

And Finally:

Super Mario Bros.

[Previously in And Finally]


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Ian Dick (cc:by)

Featured eBook
The State of DevSecOps

The State of DevSecOps

For years now, IT’s mantra has been “move quickly and break things.” To increase agility, companies adopted innovative and quick development practices. Great redesigns took place in the wake of DevOps. However, in this rush to implement forward-thinking practices, many teams eschewed security. No longer can institutions disregard security requirements within their DevOps environment. The … Read More