![]() We were surprised by the results of an investigation that showed Apple Software Update is installed on a large number of computers across different enterprises. That means that even if a Windows user decides to de-install iTunes to avoid this and other future security flaws, Updater will remain installed. ![]() The updater for that – and the Windows iCloud app – is Apple Software Updater, which while bundled with iTunes for Windows is a separate program. However, users who access iTunes on Windows will need to keep using (and updating) the current unloved iTunes app, for a while at least. Morphisec said that the attack that deployed an exploit for the bug against an “enterprise in the automotive industry” was detected in August, a month after it published details of a larger BitPaymer campaign targeting at least 15 US organisations over the summer.įinding a flaw in Apple Software Updater must have been gold for the cybercriminals who exploited it – as a signed application, its legitimacy would, in theory, have been a huge leg up for any attacker looking to bypass Windows security.Įarlier this year, Apple announced that it was shutting down iTunes after 18 years, which will be replaced for Mac users with a range of standalone apps. It’s certainly surprising that a company of Apple’s resources would have allowed such an old-school issue to slip through its development. But that is not the case, and this Apple zero-day is evidence. So thoroughly documented that you would expect programmers to be well aware of the vulnerability. The flaw itself is a rare example of an ‘unquoted path class’ described by Morphisec as: This alarming-sounding flaw is only briefly alluded to at the end of Apple’s release notes for iTunes version 12.10.1 as being related to Apple’s Software Updater, also used by iCloud for Windows.Īccording to a new blog by Morphisec, we now know it was a zero-day vulnerability used by BitPaymer to target “yet another enterprise in the automotive industry.” ![]() One of the flaws that Apple patched in last week’s iTunes app for Windows update was a zero-day used to spread the BitPaymer ransomware, security company Morphisec Labs has revealed.
0 Comments
Leave a Reply. |