Security researchers have found a vulnerability in iTunes for Windows that allows users to escalate system privileges. Windows users should update the app as soon as possible.
At the end of 2022, the Synopsys Cybersecurity Research Center (CyRC) found a security hole within the Windows version of the iTunes app. Exploitation can lead to local privilege escalation to gain system-wide privileges.
User rights determine what a user account can do on a computer system. They are an essential part of system security and ensure that users can perform tasks without compromising system security.
Permissions can include the ability to open files, change or delete data, or change system settings. Administrators can do more, such as install new apps and manage user accounts.
With this vulnerabilitysomeone with limited user rights on a Windows computer, especially with certain versions of iTunes, could exploit the system to gain elevated privileges. This could allow an attacker to gain unauthorized access to sensitive data, alter or delete data, or launch attacks on other computers within the same network.
The iTunes software creates a folder (“SC Info”) on the Windows system. Only the system should use this folder, but iTunes gives full control over it to all users. If a user deletes this folder and then creates a shortcut from where the folder was located to the Windows system folder, it will force a system restore process to recreate the folder.
This new folder, linked to the system folder, gives attackers extensive access to the Windows system.
How to protect yourself from the iTunes bug
The Synopsys team has previously reported the vulnerability to Apple, which is listed in the Database of Publicly Disclosed Computer Vulnerabilities as CVE-2023-32353 Common vulnerabilities and risks. As a result, Apple released a patch on May 23.
The issue affects versions of iTunes on Windows prior to 12.12.9 and users are advised to install the latest available update as soon as possible.
News