Another day another vulnerability, this time it's again for Apple, but indirectly, as it is affecting Windows systems that are running the iTunes app on it. Researchers from Morphisec Labs in August identified the abuse of the flaw, which exists in the Bonjour updater that comes packaged with iTunes for Windows, to deliver ransomware in an attack on an unidentified enterprise in the automotive industry.
The Cybercrime group behind ‘BitPaymer' and ‘iEncrypt' ransomware attacks has been found exploiting this zero-day vulnerability affecting the updater that comes bundled with Apple's iTunes and iCloud software for Windows (Bonjour) to evade antivirus detection.
The Bonjour component was found vulnerable to the unquoted service path vulnerability, a standard software security flaw that occurs when the path of an executable contains spaces in the filename and is not enclosed in quote tags ("").
The unquoted service path vulnerability can be exploited by planting a malicious executable file to the parent path, tricking legitimate and trusted applications into executing malicious programs to maintain persistence and evade detection (signature-based detection doesn't work as perfect as you think).
Besides escaping from the detection, in some cases, the unquoted service path vulnerability could also be abused to escalate privileges when the vulnerable program has the rights to run under higher privileges.
There is not a CVE ID assigned yet; Apple security documents reference vulnerabilities by CVE-ID when possible.
Bonjour is used to run Apple's apps in Windows, such as iTunes and Safari. This program could have been installed on your computer, and you didn't notice it, also, if you search it as an app with an icon, it does not exist in that way.
In case you ever had installed any Apple Software Products on your Windows computer and then uninstalled it, you should check the list of installed applications on your system for the Bonjour updater and uninstall it manually.
Apple has fixed this vulnerability with the release of security updates for iCloud and iTunes for Windows last week. Bear in mind that uninstalling the iTunes program does not fix the problem, Apple Software Update continues to run on the installed machine and requires a separate procedure to remove it.
This criminal group shows an advanced and innovative effort, in this case, trying to evade EDRs and, almost certainly, evading antivirus, using the unquoted path in the Apple Bonjour Update service to be able to run Malware, Ransomware in this case.
Even if you don't have it, we suggest checking for this program manually in programs installed, as sometimes it only requires that you plug in an iPhone or iPod for Bonjour to be installed on your Windows machine, even if you've only used the USB port to charge the device.
After discovering the exploit in this vulnerability, the researchers informed and shared the details of it with Apple, to let them fix the issue before more groups could exploit it, as consequence Apple had the time to fix it and have released security updates for these programs, you can check these updates here.