The zero-day vulnerability resides in the Bonjour updater that comes packaged with Apple’s iTunes and
The evasion technique was discovered by researchers at Morphisec while observing an attack against an enterprise in the automotive industry.
“This time we have identified the abuse of an Apple zero-day vulnerability in the Bonjour updater that comes packaged with iTunes for Windows. The Windows exploit is important to note given Apple is
“The adversaries abused an unquoted path to maintain persistence and evade detection.”
The Bonjour updater runs in the background and automates multiple tasks, including automatically download the updates for Apple software. Experts pointed out that the Bonjour updater has its own installation entry in the installed software section and a scheduled task to execute the process. This means that even uninstalling iTunes and
The experts discovered that the Bonjour updater was vulnerable to the unquoted service path vulnerability.
Unquoted search paths are a relatively older vulnerability that occurs when the path to an executable service or program (commonly
“Additionally, the malicious “Program” file doesn’t come with an extension such as “
Experts explained that attackers using a legitimate process signed by a trusted vendor, like Bonjour, will be able to execute a new malicious child process evading detection. In this specific attack, security programs have not scanned the malicious payloads because they did not use an extension,
The unquoted service path vulnerability could also be exploited by attackers to escalate privileges.
Users that have installed an Apple software on their Windows computer and then uninstalled it, should manually uninstall the Bonjour updater if present.