Apple released fix for critical flaw in Windows versions of iTunes
Take action: If you are using iTunes, update it. We know that updating iTunes may be a hassle because of support for various older Apple devices, but if you are using it for any music playing, it's wise to patch things up.
Learn More
Apple has released a fix for a critical vulnerability in its iTunes application for Windows 10 and Windows 11, tracked as CVE-2024-27793 (CVSS score 9.1). The flaw could potentially allow malicious attackers to execute arbitrary code remotely.
The issue is caused by insufficient checks in the CoreMedia framework, a component of iTunes that handles the processing of media samples and the management of data queues. This vulnerability could be exploited by attackers to trigger unexpected application terminations or even arbitrary code execution by parsing a maliciously crafted file. The attack can be executed remotely and does not require the attacker to have local access to the victim's computer.
While Apple has not disclosed any details of exploitiong, they have confirmed that the fix has been implemented. The flaw has been addressed in the latest iTunes version (12.13.2) released on May 8.
For users unable to update immediately, it is recommended to be very cautious about new files from unknown sources opened in iTunes.
