iTunes: Apple closes a security flaw discovered… 8 months ago

Apple recently released iTunes 12.12.9 on Windows and this version fixes two security holes as we have already seen. Today, the security company Synopsys, which discovered one of the two vulnerabilities (reference CVE-2023-32353), reveals the details.

iTunes had a privileged folder with weak access control, which allowed an attacker to redirect the creation of the folder to the Windows system directory, which could then be used to gain higher access.

In detail, iTunes creates a folder, SC Info, in the C:ProgramDataApple ComputeriTunes directory as the system user and gives full control of this directory to all users. After installation, the first user to run iTunes can delete the SC Info folder, link to the Windows system folder, and recreate the folder by forcing a repair using the installer, which can be used later to get Windows system-level access.

All versions prior to iTunes 12.12.9 are affected by this security flaw, so it is highly recommended to install the update if you have not already done so.

A notable element is the delay between the discovery of the security flaw and the fix. Synopsys says it notified Apple on September 27, 2022. On November 24, Apple confirmed the flaw. However, it took until May 23, 2023 to have a public patch. It is not specified why the delay was so long.

Apple did not mention that this flaw was used by hackers. Regardless, it is important to update iTunes to avoid unpleasant surprises, especially since the operation of the vulnerability is now known.