A new arbitrary code execution vulnerability has been discovered in iTunes that could allow a threat actor to perform malicious activities.
This vulnerability has been assigned with CVE-2024-27793 and the severity is yet to be categorized.
Apple has released a security advisory for addressing this vulnerability which also specified that “Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available”
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
Technical Analysis
According to the reports shared with Cyber Security News, this vulnerability exists in iTunes version prior to 12.13.1 for Windows which could allow parsing a malicious file which may lead to unexpected app termination or arbitrary code execution on the affected device.
However, Apple has addressed this vulnerability by improving checks before parsing a malicious file.
Users of Apple iTunes for Windows are recommended to upgrade to iTunes version 12.13.2 for patching this vulnerability.
In recent times, there have been several vulnerabilities being identified in Apple in which the most recent one was the SQL injection vulnerability that led to hacking the infrastructure of Apple.
Some of the interesting cases of Apple products being targeted by threat actors are “push bombing” attacks, GoFetch vulnerability exploitation, a type confusion zero-day (CVE-2024-23222) and several others.
Additionally, there were also cases where Apple’s iMessage was exploited. It is recommended for users of Apple products to upgrade their devices to the latest versions in order to prevent these kinds of vulnerabilities getting exploited by threat actors.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free