Apple confirms the finding of a critical security flaw in the iTunes program for Windows 10 and Windows 11 users, which could have allowed malicious attackers to execute code remotely at will.
Willy R. Vasquez, a security researcher at the University of Texas in Austin, uncovered the vulnerability, known as CVE-2024-27793. This vulnerability affects the CoreMedia framework, which processes media samples and manages media data queues in iTunes.
A major security flaw in the iTunes app for Windows 10 and Windows 11 users could have allowed malicious attackers to execute code remotely, Apple said in a support article published on May 8.
About CVE-2024-27793
Willy R. Vasquez, a Ph.D. scholar and security expert at The University of Texas at Austin, discovered CVE-2024-27793 and contributed sandboxing code to the Firefox 117 web browser. The vulnerability, rated critical by the Common Vulnerability Scoring System v3, affects the CoreMedia framework, which provides the media pipeline used to process media samples and handle batches of media information, says Apple.
The flaw allows an attacker to execute arbitrary code by sending a maliciously crafted request during the file processing. It is critical to highlight that the attacker does not need physical access to the Windows PC, as the exploitation can be carried out remotely.
The vulnerability explained
The CVSS v3 critical grade of 9.1 out of 10 is mostly due to the potential for remote code execution. The basic root of the flaw was found as inadequate checks inside the CoreMedia framework component, which Apple fixed with enhanced checks in the most recent release.
Based on the Vulnerability Database resource, CVE-2024-27793 can be leveraged remotely without authentication, although successful exploitation requires human involvement. This interaction could include clicking a link or visiting a website where CoreMedia processes the malicious file.
The ease of exploitation and potential impact of arbitrary code execution emphasize the seriousness of this issue. Users should upgrade their iTunes programs to the most recent version to protect themselves from any attacks exploiting this security weakness.
Protecting Your System
Here are some steps you can take to safeguard your system:
- Update iTunes: Ensure that you’re running the latest version of iTunes. Apple’s security patches are typically included in software updates, so staying up-to-date is essential.
- Be Cautious: Avoid clicking on suspicious links or visiting untrusted websites. Malicious actors often use social engineering tactics to trick users into interacting with harmful content.
- Regular Backups: Regularly back up your data to an external drive or cloud storage. In case of a security breach, having backups ensures that you won’t lose critical files.
- Use Antivirus Software: Install reputable antivirus software and keep it updated. Antivirus tools can detect and block known threats, providing an additional layer of defense.