Apple has fixed a critical security flaw in iTunes for Windows
A critical security flaw within the iTunes application for Windows 10 and Windows 11 users could have allowed malicious attackers to arbitrarily execute code remotely, Apple confirmed in a support document published on May 8.
What is CVE-2024-27793?
Willy R. Vasquez, a graduate student and security researcher on the University of Texas at Austin whose sandboxing code contributions will be present in the Firefox 117 web browser, is behind the invention of CVE-2024-27793. The vulnerability, Rated critical using the Common Vulnerability Scoring System v3affects the CoreMedia framework, which defines the media pipeline that’s ultimately used to “Process media samples and manage queues of media data“, says Apple.
Apple doesn’t disclose, discuss, or confirm security issues until an investigation has taken place and a fix is available. The excellent news is that such a fix is now available, but details concerning the vulnerability remain scarce.
“CVE-2024-27793 is one of the many vulnerabilities that I and my co-authors Stephen Checkoway and Hovav Shacham found in our research analyzing H.264 video decoders,” Vasquez told me. “We have developed a tool called H26Forge that generates corrupted compressed videos that can be used to either fuzz a video decoder or exploit a vulnerability in a video decoder.”
I’ve reached out to Apple for more information and can update this text as I learn more.
Which users are affected by the Apple iTunes vulnerability?
What is thought is that it applies to versions of the iTunes for Windows app before 12.13.2, which was released on May eighth concurrently the safety notification. In particular, iTunes users of the app running on Windows 10 and 11 platforms should take note. According to the Security document As published by Apple Support, the impact of the vulnerability is that “parsing a file may result in an unexpected app termination or arbitrary code execution.”
In other words, an attacker could parse a file and trigger a maliciously crafted request that would allow them to execute arbitrary code. It ought to be said that the attacker doesn’t necessarily should be someone who has local access to the Windows machine in query. That the vulnerability could lead on to such distant code execution is the major reason for CVSS v3’s critical rating of 9.1 out of 10. It can also be known that the vulnerability arose from improper checks on this CoreMedia Framework component, as Apple says that “fixed with improved controls.”
According to the Vulnerability Database resource: CVE-2024-27793 will be easily exploited remotely and with none authentication. However, successful exploitation requires user interaction. This is believed to occur by clicking on a link or visiting a web site where CoreMedia’s malicious file will be analyzed.
