The specialists of the company Morphisec, operators extortionate FOR BitPaymer actively use the zero-day vulnerability in iTunes for Windows to run malicious code and bypass detection.
The problem affects the built-in iTunes for Windows the update mechanism Bonjour. With it an attacker could exploit the quota-free way (unquoted path) and this not only to bypass the detection of antivirus solution, but also to obtain persistence on the system.
In most cases, when users deinstallirovat iTunes, Bonjour component still remains. Because in a corporate environment there is great number of computers still running mechanism Bonjour, it is not surprising that the operators of rent-seeking BY BitPaymer chose him as a vector.
Security solutions typically monitor the behavior of applications, in which the main role is played by the circuit implementation. Bonjour is a signed and well-known process, therefore, security decisions do not mention it, to avoid unnecessary intervention. Attackers could exploit this to run malicious new child process and go unnoticed. Moreover, the malicious load devoid rasshireniyami and security solutions are unlikely to scan.
Apple has fixed the vulnerability last week, after it became aware of its use by operators BitPaymer. Problem fixed in version iTunes for Windows 12.10.1.
Quota-free way — a rare vulnerability that occurs when a service is created, whose execution path contains spaces and is not quoted. The vulnerability allows a user to elevate their privileges to system level (in the case if the affected service is running with system privileges).
Read more •••
The investigator maniac became a hero of the blog