Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Endpoint Security

iTunes Zero-Day Vulnerability Exploited by BitPaymer Ransomware

The BitPaymer ransomware operators were observed abusing a zero-day vulnerability in Apple’s iTunes for Windows to run code and evade detection, Morphisec’s security researchers have discovered.

The BitPaymer ransomware operators were observed abusing a zero-day vulnerability in Apple’s iTunes for Windows to run code and evade detection, Morphisec’s security researchers have discovered.

The security flaw resides in the Bonjour updater that comes packaged with iTunes for Windows and allows attackers to abuse an unquoted path to not only evade detection from antivirus software, but also to maintain persistence on the targeted machine.

Apple has addressed the vulnerability this week with the release of iTunes 12.10.1 for Windows, after being alerted about BitPaymer operators abusing it. The company has credited Michael Gorelik of Morphisec for his assistance.

“The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future,” Gorelik notes.

Rarely seen in the wild, the unquoted path vulnerability means that the impacted software’s developers only used the String type of the variable assigned with a path in object-oriented programming, and did not surround the path by quotes (“”).

What Morphisec’s security researchers discovered was that Bonjour, a mechanism that Apple uses to deliver updates, has such an unquoted path. It also has an installation entry in the installed software section, as well as a scheduled task to execute its process.

Moreover, in most cases, users uninstall iTunes but do not remove the Bonjour component separately, meaning that the updater task remains up and working. With numerous computers in enterprise environments still running the Bonjour updater, it’s clear why the attacker chose it for evasion.

Advertisement. Scroll to continue reading.

Detection solutions usually monitor software behavior, where the chain of process execution plays a major role. Bonjour is a signed and well known process and security vendors will avoid flagging it to prevent unnecessary disruptions, meaning that attackers can abuse it to execute a new malicious child process and avoid triggering an alert.

What’s more, the malicious payload in this attack did not use an extension such as “.exe”, meaning that a security program will likely not scan it.

As part of the attack, Bonjour was attempting to run from the “Program Files” folder, but it ended up loading the BitPaymer ransomware due to the unquoted path (the malware was named “Program”). This allowed the attackers to evade detection and bypass antiviruses, Gorelik reveals.

The researcher says this discovery led to the identification of additional unquoted path vulnerabilities in the iTunes software and installer. Exploitation scenarios were possible even with the malicious file placed on a different drive and having a different name, such as Apple or Apple Software.

“Of course, the adversary would need write-privileges for any of those folders. We haven’t observed any possible privilege escalations due to this vulnerability,” the researcher notes.

Related: Forked Version of BitPaymer Ransomware Emerges

Related: Dridex Authors Build New Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.