Apple has patched a vulnerability in iCloud for Windows and iTunes for Windows that malicious actors had been exploiting to evade antivirus and endpoint detection and response systems as they attempted to infect machines with ransomware.
Specifically, the zero-day flaw was discovered in Bonjour – a mechanism for delivering future updates and also for helping devices, apps and services discover each other. Bonjour comes packaged with iTunes for Windows machines, which for the foreseeable future will continue to use the music app, even as Apple phases it out on its own desktop devices, starting with the release of its new Catalina version of macOS.
Researchers at Morphisec discovered the vulnerability and corresponding exploit, which they have attributed to an ongoing malicious campaign that’s been targeting U.S. public and private companies with BitPaymer ransomware (aka IEncrypt) since approximately six months ago.
The exploited flaw is identified as an unquoted path vulnerability. This happens when the path to an executable service mistakenly contains spaces and also is not surrounded by quotes. “Software developers are using more and more object-oriented programming, and many times when assigning a variable with a path, they assume that using the String type of the variable alone is enough – well it’s not! The path still needs to be surrounded by quotes,” states Morphisec researcher Michael Gorlick in company blog post.
Unquoted path vulnerabilities are most commonly exploited for privilege escalation, but in this case the flaw has been used to evade users’ security defenses, Gorlick notes. Even users who uninstall iTunes are still affected because they must separately uninstall the Bonjour component to protect themselves.
“We were surprised by the results of an investigation that showed the Bonjour updater is installed on a large number of computers across different enterprises,” Gorlick says in the blog post. “Many of the computers uninstalled iTunes years ago while the Bonjour component remains silently, un-updated, and still working in the background. Following this discovery, we identified the attack surface and the motivation of the attacker to choose this process for evasion.”
Apple began distributing a fix for the problem on Oct. 7 with its release of iTunes 12.10.1 for Windows and iCloud for Windows 7.14 and 10.7. The company did not reserve a CVE number for this particular vulnerability, but in its security advisories it did credit Gorlick for his assistance. But Apple still has work to do, as Morphisec has found even more unquoted path vulnerabilities in the company’s iTunes software and its installer.
“They still have similar vulnerabilities in their other executables which weren’t patched. We cannot name them until they are patched,” Gorlick told SC Media in an emailed comment.
In his blog post, Gorlick says that the exploit is effective because the attackers are using a legitimate process signed by a known vendor to execute a malicious process. This may be enough to fool behavior-based detection solutions into thinking the malicious process is actually benign. “Security vendors try to minimize unnecessary conflicts with known software applications, so they will not prevent this behaviorally for fear of disrupting operations,” he explains.
Also, because the malicious file doesn’t come with a suspicious extension such as .exe, AV products may ignore it.
“In this scenario, Bonjour was trying to run from the ‘Program Files’ folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named ‘Program,’ says Gorlick. “This is how the zero-day was able to evade detection and bypass AV.”