Arlen _G_ Holder
2019-10-11 16:28:28 UTC
Yet again, Apple proves to not have tested their software sufficiently...
o For years and years and years and years (just like Google proved)...
A zero-day vulnerability in iCloud and iTunes on Windows PCs allowed
hackers to install ransomware undetected.
"The ... vulnerability ...is a well-known bug that has previously been
identified by other vendors for more than 15 years."
o APPLE ZERO-DAY EXPLOITED IN NEW BITPAYMER CAMPAIGN
<https://blog.morphisec.com/apple-zero-day-exploited-in-bitpaymer-campaign>
"we have identified the abuse of an Apple zero-day vulnerability in the
Apple Software Update utility that comes packaged with iTunes for Windows.
The Windows exploit is important to note given Apple is sunsetting iTunes
for Macs with the release of macOS Catalina this week, while Windows users
will still need to rely on iTunes for the foreseeable future."
"In most cases, people are not aware that they need to uninstall the
Apple Software Update component separately when uninstalling iTunes.
Because of this, machines are left with the updater task installed and
working. We were surprised by the results of an investigation that showed
Apple Software Update is installed on a large number of computers across
different enterprises. Many of the computers uninstalled iTunes years ago
while the Apple Software Update component remains silently, un-updated, and
still working in the background. Following this discovery, we identified
the attack surface and the motivation of the attacker to choose this
process for evasion."
o For years and years and years and years (just like Google proved)...
A zero-day vulnerability in iCloud and iTunes on Windows PCs allowed
hackers to install ransomware undetected.
"The ... vulnerability ...is a well-known bug that has previously been
identified by other vendors for more than 15 years."
o APPLE ZERO-DAY EXPLOITED IN NEW BITPAYMER CAMPAIGN
<https://blog.morphisec.com/apple-zero-day-exploited-in-bitpaymer-campaign>
"we have identified the abuse of an Apple zero-day vulnerability in the
Apple Software Update utility that comes packaged with iTunes for Windows.
The Windows exploit is important to note given Apple is sunsetting iTunes
for Macs with the release of macOS Catalina this week, while Windows users
will still need to rely on iTunes for the foreseeable future."
"In most cases, people are not aware that they need to uninstall the
Apple Software Update component separately when uninstalling iTunes.
Because of this, machines are left with the updater task installed and
working. We were surprised by the results of an investigation that showed
Apple Software Update is installed on a large number of computers across
different enterprises. Many of the computers uninstalled iTunes years ago
while the Apple Software Update component remains silently, un-updated, and
still working in the background. Following this discovery, we identified
the attack surface and the motivation of the attacker to choose this
process for evasion."