Windows iTunes Security Vulnerability

Attention Windows users: It is important to update your iTunes to the latest version, iTunes 12.12.9, as it addresses a recently uncovered security vulnerability.

Apple released iTunes 12.12.9 on May 23, specifically to fix an issue that could allow malicious apps to gain elevated privileges and install malware on Windows machines.

The vulnerability involves a privileged folder in iTunes with weak access control, enabling a malicious individual to redirect folder creation to the Windows system directory. This, in turn, could be exploited to obtain a higher-privileged system shell.

Details

The iTunes application creates a folder, "SC Info", in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can make a manipulation by deleting the SC Info folder, creating a link to the Windows system folder, and re-creating the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.

Any version of iTunes prior to 12.12.9 is affected, so users running older versions should promptly update.

Although Apple stated that there were no known instances of this exploit being used in the wild, it is still recommended to install the latest iTunes version as a precautionary measure.