iTunes on Windows security flaw allows unauthorized access & data manipulation

iTunes on Windows has a security flaw

In late 2022, the Synopsys Cybersecurity Research Center (CyRC) discovered a security vulnerability within the Windows version of the iTunes app. Exploiting it can lead to local privilege escalation to achieve system-level privileges.

User privileges, also known as permissions, define what a user account can do on a computer system. They are an essential part of the system's security, ensuring that users can perform tasks without compromising the system's security.

Privileges can include the ability to open files, change or delete data, or modify system settings. Users with administrative privileges can do more, such as installing new apps and managing user accounts.

With this vulnerability, someone with limited user privileges on a Windows computer, specifically running specific versions of iTunes, could exploit the system to acquire elevated privileges. That could allow a malicious person to gain unauthorized access to sensitive data, change or delete data they aren't supposed to, or launch attacks on other computers within the same network.

The iTunes software creates a folder ("SC Info") on the Windows system. Only the system should use this folder, but iTunes gives all users complete control over it.

If a user deletes this folder and then creates a link from where the folder was to the Windows system folder, this forces a system repair process that recreates the folder.

That new folder, linked to the system folder, gives assailants high-level access to the Windows system.

How to protect yourself from the iTunes bug

The Synopsys team already reported the vulnerability to Apple, tracked as CVE-2023-32353 in the database of publicly-disclosed computer security flaws known as Common Vulnerabilities and Exposures. As a result, Apple issued a patch on May 23.

It affects versions of iTunes on Windows before 12.12.9, and users are advised to install the update as soon as possible.