A zero-day vulnerability in iTunes and iCloud application was discovered by the security company Morphisec here on October 10th, 2019. The article continues to disclose additional technical details on the vulnerability. The vulnerability in the applications will not trigger an antivirus software detection as the software is signed by Apple, and is automatically flagged as okay. The root cause according to the article is known as an unquoted service path, when a developer forgets to surround a file path with quotation marks. “When the bug is in a trusted program — such as one digitally signed by a well-known developer like Apple — attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious.”
As of today, Apple has released the patches for iTunes and iCloud for windows to close the security vulnerability.
Leave a Reply
You must be logged in to post a comment.