A zero-day vulnerability in Apple iTunes for Windows enabled attackers to bypass antivirus detection on Windows devices. The targeted BitPaymer or IEncrypt ransomware campaign was detected by the security folks at Morphisec who called the iTunes exploit a "new and alarming evasion technique."
This Apple zero-day vulnerability is in the Bonjour updater that comes packaged with iTunes and iCloud for Windows. Morphisec said that the the "adversaries abused an unquoted path to maintain persistence and evade detection." The unquoted path vulnerability is a widely known bug that occurs due to developers forgetting to surround a file path with quotation marks. This latest zero-day is a proof that developers continue to ignore quotes.
Software developers are using more and more object-oriented programming, and many times when assigning a variable with a path, they assume that using the String type of the variable alone is enough – well it's not! The path still needs to be surrounded by quotes ("\\").
This small oversight enabled attackers to launch the Bonjour component and hijack its execution path to point it to their ransomware instead. This technique effectively enables attackers to bypass detection by introducing the bug through a trusted program, digitally signed by a legit developer like Apple. "Since Apple Software Update is signed and known, the adversary uses this to their advantage," Morphisec writes.
Apple has fixed the flaw but it will affect even those who have uninstalled iTunes for Windows
Morphisec warns that even if you don't currently run iTunes but did so in the past, you could still be at risk, hinting that this could be the reason why attackers chose this process for evasion.
In most cases, people are not aware that they need to uninstall the Apple Software Update component separately when uninstalling iTunes. Because of this, machines are left with the updater task installed and working.
We were surprised by the results of an investigation that showed Apple Software Update is installed on a large number of computers across different enterprises. Many of the computers uninstalled iTunes years ago while the Apple Software Update component remains silently, un-updated, and still working in the background. Following this discovery, we identified the attack surface and the motivation of the attacker to choose this process for evasion.
Morphisec researchers also added that Apple developers "haven't fixed all the vulnerabilities reported by us, only the one that was abused by the attackers." In any case, if you do use iTunes, make sure to update it to the very latest version. Mac users aren't affected by this bug.
- More details at Morphisec's security blog.