Apple has patched an exploit in Bonjour, iTunes, and iCloud for Windows that was an open door for ransomware to attack systems.
The exploit essentially allowed malware to execute in Windows, looking like it was a trusted application. Properly crafted, an attacker could piggyback on an iTunes and Bonjour digital signature, and slip past malware protection.
Morphisec, the security research firm that found the exploit says that the BitPaymer malware was using the vector of attack to infect systems. Windows systems updating to the new iTunes 12.10.1 won't unencrypt any locked files, though.
It isn't presently clear when the exploit was introduced. However, Apple has recently updated iTunes and iCloud for Windows, closing off the vector of attack.
Users that have removed iTunes and iCloud from a Windows install aren't necessarily out of the woods. Apple's network auto-discovery tool Bonjour has to be uninstalled seperately from iTunes or iCloud for Windows, potentially leaving that avenue open. There is no direct patch for Bonjour without updating iTunes or iCloud for Windows.
Apple's macOS is not and was never impacted by the flaw. Morphisec waited for Apple to patch the exploit, and is just now detailing the vulnerability.
Bitpaymer is relatively recent. It was first spotted in the wild, focusing on hospitals, organizations, universities, and governmental agencies. The ransom for the encryption key was steep, with ransoms of up to 70 Bitcoin (about $570,000) demanded.
4 Comments
You might want to dig into this story a little more. The Blog keeps referencing Bonjour but describes it as, "a mechanism that Apple uses to deliver future updates" and then the vulnerability they demonstrate appears to be in Apple Software Update.
If that's the case, the reason Apple doesn't have a separate patch for Bonjour would be that as far as I know, you can't Apple Software Update without getting either Bootcamp or iTunes...
The security firm has updated their article as the original was inaccurate. The vulnerability isn't in Bonjour, it is in Apple Software Update.
Tomahawk, do you have a link to help us track down that change? Appreciate it, we have a large number of users with Bonjour but no iTunes/iCloud or Apple Updater, thanks
Nevermind, think I found it https://blog.morphisec.com/apple-zero-day-exploited-in-bitpaymer-campaign