Ransomware attackers have been abusing a vulnerability in the Windows version of Apple iTunes to avoid detection from antivirus software, according to security researchers.

The problem deals with the Apple-created Bonjour updater that comes with iTunes for Windows, which is used to deliver software updates to the app. Security firm Morphisec has discovered it also suffers from an "unquoted path vulnerability," which can cause the Bonjour updater to indiscriminately run a file, whether it be safe or malicious.

The hackers behind the BitPaymer ransomware strain discovered the vulnerability and used it in their attacks. Specifically, they delivered a malicious file to exploit the flaw as a way to evade detection from antivirus software onboard a Windows system.

The Bonjour updater is well known in the software industry, and as a result, antivirus protection algorithms will generally ignore it to prevent software conflicts on Windows PCs, Morphisec CTO Michael Gorelik wrote in a Thursday report.

"In this scenario, Bonjour was trying to run from the 'Program Files' folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named 'Program,'" he added.

According to Morphisec, the BitPaymer ransomware attackers have been targeting companies by first delivering phishing emails that secretly contain malware. The attackers will then conduct reconnaissance over the target's corporate network before unleashing a ransomware on the victim's computers. Other attacks have involved first guessing the passwords to remote desktop computers at a victim organization to gain a foothold.

Fortunately, Apple earlier this week fixed the unquoted path vulnerability in iTunes by rolling out updates for iCloud to both Windows 7 and Windows 10. However, Morphisec is warning that many users may be running unpatched versions of the Bonjour updater on their PCs, despite having removed iTunes.

"We were surprised by the results of an investigation that showed the Bonjour updater is installed on a large number of computers across different enterprises. Many of the computers uninstalled iTunes years ago while the Bonjour component remains silently, un-updated, and still working in the background," Gorelik wrote in his report.

You can uninstall Bonjour by going into Windows' Setting menu or by using the Control Panel. Although Apple is retiring iTunes on the new macOS Catalina, the company will continue using the software on Window systems.

Further Reading

Security Reviews