The release of macOS Catalina marked a seminal moment in the history of Apple — the dissolution of iTunes as a single, standalone element in favor of breaking it apart into multiple apps now dedicated to specific functions, like Music and Books. Along with the iPhone, iTunes was for years deeply woven into the very Apple brand, the company having used it to popularize the idea of cheaply priced, downloadable songs and changing the music industry forever.
But having said all that, it’s still arguably business as usual when it comes to iTunes if you’re a Windows user. Apple didn’t immediately disclose plans as to the future of the software on Windows, though it is highly recommended at the moment that Windows users immediately download the latest version of iTunes if they haven’t done so already.
The reason is that the new version includes a patch from Apple for a zero-day flaw that was discovered and which could have allowed someone to install ransomware on those Windows computers running the older versions of iTunes. The security issue was identified thanks to the cybersecurity firm Morphisec, which explains in a blog post that the problem was a flaw within the update utility that comes packaged with iTunes for Windows.
“The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future,” the post reads, adding that whoever is behind this “abused an unquoted path to maintain persistence and evade detection.
“The unquoted path vulnerability is rarely seen in the wild, yet it is a well-known bug that has previously been identified by other vendors for more than 15 years. In most cases, the vulnerability is mentioned in the context of privilege escalation because it exists in a service or other process with administrative execution rights.” This vulnerability has been so thoroughly documented, Morphisec continues, that you would expect programmers to be pretty well aware of the vulnerability. “But that is not that case, and this Apple zero-day is evidence.”
The firm says it waited for an updated to be issued from Apple before publishing this research. For users to make sure they’re protected, make sure you’re running iTunes 12.10.1 for Windows in addition to iCloud for Windows 7.14. If you choose to delete iTunes altogether, however, that’s still not enough. Per Morphisec, you’ll also need to uninstall the Apple Software Update component separately when uninstalling iTunes.