Zero-day vulnerability that can install ransomware on iTunes and iCloud is discovered



An Israeli cybersecurity company,

Morphisec , identified a zero-day vulnerability in iTunes and iCloud for Windows and discovered that hackers were using it for ransomware. According to Morphisec reports, Apple has already fixed the vulnerability.

Apple Zero-Day Exploited in New BitPaymer Campaign
https://blog.morphisec.com/apple-zero-day-exploited-in-bitpaymer-campaign

Attackers exploit an iTunes zeroday to install ransomware | Ars Technica
https://arstechnica.com/information-technology/2019/10/attackers-exploit-an-itunes-zeroday-to-install-ransomware/

The vulnerability in question was known as the 'unquoted program path problem' in the Bonjour component in iTunes and iCloud for Windows. This problem is due to the specification that Windows cannot distinguish between 'program path' and 'parameter' when interpreting paths that contain unquoted spaces.

Normally, the path of the service executable file, etc. is set in quotes '' ', such as' 'c: \ Program files \ file.exe' '. However, if there is no quotation mark '' ', in this example, the file' c: \ Program files \ file.exe 'is determined because it is determined that there is a space delimiter in the string' Program files ' Before that, the file “c: \ Program.exe” is executed.


By

pixel2013

The program path problem that is not enclosed in quotation marks is explained in an easy-to-understand manner at the following site.

Security Professionals Network Inc.-[SPN Communications] Program path processing problems not enclosed in quotes
http://www.sec-pro.net/newsletter/20121112.html

The cracking technique discovered by Morphisec is to send the ransomware “ BitPaymer ” as a file without the extension “Program”. Due to the above unquoted program path problem, Bonjour runs the Bitpaymer ransomware named “c: \ Program” in preference to running the update program in the “c: \ Program Files” folder. To do.

The reason why 'Program' does not have an extension is that anti-virus software may only scan certain file extensions in order not to reduce machine performance. By not setting an extension in BitPaymer, it was avoided being detected by anti-virus software.


By rupixen

Morphisec discovered that BitPaymer was installed on a PC of an automobile company by this method. Morphisec has reported this vulnerability to Apple immediately. Apple released ' iCloud for Windows 7.14 ' and ' iTunes 12.10.1 for Windows ' which fixed the problem vulnerability on October 7, 2019.

About the security content of iTunes for Windows 12.10.1-Apple support
https://support.apple.com/en-us/HT210635

About the security content of iCloud 7.14 for Windows-Apple support
https://support.apple.com/en-us/HT210637

Since iTunes does not automatically delete Bonjour when it is uninstalled, those who use iTunes but are not currently using it may have a vulnerable Bonjour in their PC There is sex.

Morphicsec released a report on this vulnerability, waiting for Apple to fix it. According to Morphicsec, “Apple has fixed vulnerabilities exploited by hackers, but has not fixed other vulnerabilities reported at the same time.”

Related Posts:

in Security, Posted by darkhorse_log