PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability

[MacRumors]

Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability.

Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked.

iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.

The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access.

All versions of iTunes prior to 12.12.9 are impacted by this vulnerability, and so iTunes users who are running older versions of the software should make sure to update.

Synopsys first discovered the problem in September 2022, and told Apple about it at that point. Apple confirmed the vulnerability in November, and then patched it in May. Apple did not say that this exploit was known to have been used in the wild so it is not as critical as some other vulnerabilities, but it is still a good idea to install the latest version of iTunes right away.

Article Link: PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability

 

[AppleTO]

Awesome. Thanks for the instructions! 😎

/s

 

[TigerNike23]

Don’t you love it when some companies tell you how to hack into others systems?

/s

 

[Jmausmuc]

I wonder how many iTunes users there still are. Especially on windows.

 

[jacobgkau]

Don’t you love it when some companies tell you how to hack into others systems?

/s

I can't tell which part of your comment the sarcasm tag applies to, but the security researchers communicated the issue to Apple privately nine months ago, and waited over a week after the fix was published to disclose the issue publicly. This was a completely responsible disclosure on the researchers' part.

 

[HobeSoundDarryl]

I wonder how many iTunes users there still are. Especially on windows.

PC is a farrrrrrrrrrrrrrrrrrrr larger world than the bubble in which we Mac people play. Pay attention and you'll see DOS apps still running in relatively important settings- like hospitals. DOS! I just bumped into it in dominant use with a not-poor client only 3 years ago.

I would wild guess- and it is just that as I have no data to support it- there is more-to-far-more active iTunes users than Mac owners.

Here's a surprising(?) PCmag quote from only 4 years ago...

Microsoft currently lists the Windows version of iTunes as the most popular app on its digital store, putting it ahead of Netflix and Spotify.

I clicked a link into the store to see where it ranks now. It's #2, right behind WhatsApp and still ahead of Netflix and Spotify.

 

[jacobgkau]

Apple must not have thought this was a very serious vulnerability if it took them nine months to create the fix. That might be somewhat reasonable if they haven't seen or heard of this vulnerability being exploited in real-world malware (and to be fair, it was only a local escalation vulnerability, rather than remote), but two months just to confirm the issue also seems a little slow.

I wonder how much of that time was eaten up by internal bureaucracy such as legal procedures regarding admitting to a vulnerability. It's interesting that the most valuable company in the world operates like this, while I'd expect quicker acknowledgement and remediation from much lesser-funded open-source projects.

 

[maternidad]

I used this vulnerability a couple of times on others, so I’m sad to see it patched.

 

[MrRom92]

Now if only they can patch the bug that makes FLAC files unusable

 

[MrMojo1]

I wonder how many iTunes users there still are. Especially on windows.

Why do Apple users continually assume that Windows users don't own any Apple products like an iPhone?
There are lots of iPhone owners who are PC users not Mac users. Also, Windows are [still] used in many parts of the world, more than Macs, esp. in corporate settings.

 

[1284814]

How about 12.6.5 update for app management

 

[Skyscraperfan]

Isn't it ironic that Apple software introduces a vulnerability to Windows?

 

[1284814]

Based on what I understand this is an issue for people with multiple users on your computer. If you do not have multiple accounts or share your computer you should be safe if you are using the old version of iTunes for windows with Book and apps managements.
honestly apple is forcing people to buy a Mac to properly back up their so called portable computers.

 

[vertsix]

I wonder how many iTunes users there still are. Especially on windows.

Right here.

Still sync 23,000 songs and counting to my 1TB 13 Pro Max.

 

[KPOM]

Apple must not have thought this was a very serious vulnerability if it took them nine months to create the fix. That might be somewhat reasonable if they haven't seen or heard of this vulnerability being exploited in real-world malware (and to be fair, it was only a local escalation vulnerability, rather than remote), but two months just to confirm the issue also seems a little slow.

I wonder how much of that time was eaten up by internal bureaucracy such as legal procedures regarding admitting to a vulnerability. It's interesting that the most valuable company in the world operates like this, while I'd expect quicker acknowledgement and remediation from much lesser-funded open-source projects.

We don’t know all the specifics. Last week Microsoft disclosed that it found a vulnerability in Migration Assistant that it disclosed to Apple earlier this year. Apple went right on the case and fixed it quickly. Perhaps because iTunes is for a non-Apple OS it took longer to confirm the specific vulnerability and identity the fix that would not break other functionality.

 

[q64ceo]

12.12.9.4 for those who are using the Windows store published version.

 

[jchap]

iTunes does not even function worth a damn for me on Windows 11 to begin with. Syncing is slow as molasses, the app throws errors, connectivity to the iPad's internal app file storage is well-nigh impossible... where to begin. I just downloaded and installed it yesterday, and the entire iTunes framework on Windows seemed like it was about ready for imminent collapse. Sluggish, unresponsive and can't even download the Apple Music library without freezing. This was on a 2022 LG Gram with 32 GB memory, so system resources would not seem to be the problem here.

Apple Music Preview is available on Windows now, and I haven't tried it.

It's been said before on this forum, but considering the track record of marginal to poor usability and UX design on the Mac with iTunes and now Apple Music (which is better in some areas and worse in others), Apple needs to get with the game and pay attention to the Windows PC market if they want to avoid alienating their cross-platform Apple Music user base. Such a poor offering by Apple—you can definitely tell that they are not interested in making a respectable effort of it. Security patches to iTunes for Windows are the least of their problems.

 

[Hank001]

Right here.

Still sync 23,000 songs and counting to my 1TB 13 Pro Max.

Me too. And I have the bug that iTunes (also when syncing with Apple Music / Finder) syncs over all songs, including the ones that are already on my iPhone. Major PIA, major bug, for over 13 years now.

iTunes syncs the same handful of songs on every sync

Every time I sync my iPod (Touch 2G), there are about 20 or 30 songs that iTunes insists on syncing. I usually sync just to get a couple of updated podcasts, but have to wait while it needlessly sy...

superuser.com

iTunes copies same songs everytime i sync - Apple Community

discussions.apple.com

 

[svish]

Glad to hear that vulnerability is fixed and that update is available.

 

[MrRom92]

Me too. And I have the bug that iTunes (also when syncing with Apple Music / Finder) syncs over all songs, including the ones that are already on my iPhone. Major PIA, major bug, for over 13 years now.

iTunes syncs the same handful of songs on every sync

Every time I sync my iPod (Touch 2G), there are about 20 or 30 songs that iTunes insists on syncing. I usually sync just to get a couple of updated podcasts, but have to wait while it needlessly sy...

superuser.com

iTunes copies same songs everytime i sync - Apple Community

discussions.apple.com

The most ideal thing would be if apple completely did away with “syncing” or any sort of library management. Just put a folder on the device we can drag and drop any files we want to using the normal windows explorer and the songs should just show up when we open the Music app. Would resolve many, many problems with the way they’ve implemented things. And this is basically how any other personal media player functioned for the last 25 years.

 

[ccsicecoke]

I wonder how many iTunes users there still are. Especially on windows.

I use iTunes

 

[verpeiler]

PC is a farrrrrrrrrrrrrrrrrrrr larger world than the bubble in which we Mac people play. Pay attention and you'll see DOS apps still running in relatively important settings- like hospitals. DOS! I just bumped into it in dominant use with a not-poor client only 3 years ago.

I would wild guess- and it is just that as I have no data to support it- there is more-to-far-more active iTunes users than Mac owners.

Here's a surprising(?) PCmag quote from only 4 years ago...



I clicked a link into the store to see where it ranks now. It's #2, right behind WhatsApp and still ahead of Netflix and Spotify.

..and that doesn't even count people who just downloaded iTunes and didn't use the store. I guess that's an even larger number.

I tried the new "Apple Music" Preview app and it's ok so far.

 

[Motawa]

bUt wHo rUnS wInDoWs??? iTs sO sTuPid!!!111

 

[Sun Baked]

You had me worried there for a second, then I realized I never installed iTunes on Windows ARM.

 

[macfacts]

So if you don't update it an iTunes user can get admin access to the windows machine, but only an admin user can update iTunes.