The zero-day vulnerability resides in the Bonjour updater that comes packaged with Apple’s iTunes and
The evasion technique was discovered by researchers at Morphisec while observing an attack against an enterprise in the automotive industry.
“This time we have identified the abuse of an Apple zero-day vulnerability in the Bonjour updater that comes packaged with iTunes for Windows. The Windows exploit is important to note given Apple is
“The adversaries abused an unquoted path to maintain persistence and evade detection.”
The Bonjour updater runs in the background and automates multiple tasks, including automatically download the updates for Apple software. Experts pointed out that the Bonjour updater has its own installation entry in the installed software section and a scheduled task to execute the process. This means that even uninstalling iTunes and
The experts discovered that the Bonjour updater was vulnerable to the unquoted service path vulnerability.
Unquoted search paths are a relatively older vulnerability that occurs when the path to an executable service or program (commonly
“Additionally, the malicious “Program” file doesn’t come with an extension such as “
Experts explained that attackers using a legitimate process signed by a trusted vendor, like Bonjour, will be able to execute a new malicious child process evading detection. In this specific attack, security programs have not scanned the malicious payloads because they did not use an extension,
The unquoted service path vulnerability could also be exploited by attackers to escalate privileges.
Users that have installed an Apple software on their Windows computer and then uninstalled it, should manually uninstall the Bonjour updater if present.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.