Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Apple iTunes has a serious security flaw you really should know about

iTunes in Windows 11

A high-severity vulnerability has been discovered in Apple's iconic iTunes program that could allow threat actors to escalate privileges locally, essentially giving them the keys to the kingdom. 

Cybersecurity researchers from Synopsys outlined the flaw in the Windows version of the multimedia hub, explaining that the app creates a privileged folder with weak access controls.

As a result, a threat actor (in this case, a regular user without any elevated privileges) can redirect this folder creation to the Windows system directory, and then use the folder to obtain a higher-privileged system shell. 

High severity iTunes flaw

“The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users,” the researchers explained. “After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.”

The flaw is now tracked as CVE-2023-32353, affecting iTunes versions prior to 12.12.9. It has a severity score of 7.8 and is deemed “high severity”.

Apple has been hard at work lately remedying a number of high-severity vulnerabilities across its ecosystem. 

Microsoft recently reported finding  a major bug in macOS, dubbed Migraine which could have allowed threat actors with root privileges to bypass System Integrity Protection, giving them the ability to install “undeletable” malware

Furthermore, the flaw allows threat actors to work around Transparency, Consent, and Control (TCC) feature, and access sensitive data. The bug has since been patched across the Apple ecosystem, with users told to apply the fix as soon as they can.

Also, less than a month ago, the company announced fixing two zero-day vulnerabilities that were apparently being abused in the wild to target iPhone, Mac, and iPad endpoint users. The flaws enabled threat actors to take full control over the vulnerable devices, it was said.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.