Toggle Dark Mode
Although Apple retired iTunes for Mac in 2019 with the release of macOS Catalina, its legacy lives on for Windows users. Sadly, that legacy also includes many of the security problems that Windows apps can fall victim to.
Earlier this week, researchers discovered a perfect storm of vulnerabilities that could turn iTunes for Windows into a serious security risk. While the process for exploiting this was a bit convoluted, it was still an open door that potential malware could take advantage of.
No Subscriptions - Get Microsoft Office Lifetime Access for Just $32.97
Even Microsoft tries to nudge you toward paying monthly for their Suite 365. The good news is that you don't have to. iDrop News readers can get lifetime access to MS Office at 85% off the normal price...Get It Here
The flaw was uncovered by Zeeshan Shaikh of the Synopsys Cybersecurity Research Center (CyRC), which published some details on the problem after Apple released iTunes 12.12.9 to patch the issue.
“The iTunes application creates a folder, SC Info, in the C:ProgramDataApple ComputeriTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.”
The iTunes 12.12.9 update was quietly pushed out by Apple around May 23, with patches for two security problems that could allow apps to elevate privileges, addressing the “logic issue with improved checks.” The discovery of one of the two flaws was credited to Synopsys’ Shaikh, while the second was discovered by “ycdxsb” of VARAS@IIE.
It’s unclear how far back this vulnerability goes, but it’s safe to say it likely encompasses all versions of iTunes 12 before the 12.12.9 fix. Hence, if you haven’t updated iTunes for Windows yet, you should do so immediately.
You’ll need to download the latest version through the Microsoft Store, as the newest version Apple offers for direct download from its website is iTunes 12.10.11, which very likely still includes the vulnerability in question.
According to Synopsis’ timeline, it first discovered the vulnerability in September 2022 and reported it to Apple, which confirmed its existence in November and released a patch in May. It’s unclear what took it so long to respond, but since there’s no evidence this issue was ever exploited, it was likely a lower priority for Apple. Then again, that can be said for iTunes for Windows as a whole.
There have been persistent rumors over the past few years that Apple would finally split up iTunes on Windows, killing its bloated and monolithic app in favor of separate Music, TV, Podcast, and Books apps, much like it’s done on the Mac.
Sadly, none of those have ever come to fruition, and the Windows platform lags even further behind the Mac when it comes to Apple’s first-party apps, having never even gained the standalone Apple Books app that came to the Mac as iBooks in 2013. Last fall, Apple released a “preview” version of its TV app on the Microsoft Store; however, that’s likely only because it was easier to create a new standalone app than update iTunes to add support for streaming Apple TV+ content on Windows.
Now that this vulnerability has been published, Windows users running iTunes are no longer protected by “security through obscurity.” Bad actors will undoubtedly begin using this new knowledge to craft malware that could target older versions of iTunes, making it much more critical to ensure you’re running the latest version of iTunes.