Penka Hristovska
Published on: May 13, 2024
Apple has confirmed a critical security vulnerability in the iTunes application for Windows 10 and Windows 11 users.
According to an Apple Support document published on May 8, this flaw could have allowed malicious attackers to execute code remotely.
This vulnerability has been assigned the identifier CVE-2024-27793 and has been rated as critical by the Common Vulnerability Scoring System v3. It reportedly affects the CoreMedia framework, which Apple described as the foundation for the media pipeline, which is the system responsible for handling audio and video data.
Core Media offers low-level data types and interfaces that allow for efficient processing of media samples and management of data queues. Essentially, it enables developers to manipulate media content directly and efficiently, ensuring smooth playback, editing, and interaction with various media types across Apple devices.
Apple hasn’t disclosed much information about the vulnerability, except that it affects versions of the iTunes for Windows app prior to 12.13.2, which was released on May 8 to coincide with the security update. According to the security document published by Apple Support, the impact of the vulnerability is that “parsing a file may lead to an unexpected app termination or arbitrary code execution.”
Essentially, this security flaw in iTunes for Windows allowed attackers to execute their own code on someone else’s computer by manipulating how files are handled during parsing. The critical part is that the attacker doesn’t need to have physical access to the computer; they can do this remotely.
This remote exploit capability is why the vulnerability was rated as highly critical. Apple has acknowledged that the flaw was due to insufficient validation processes within its CoreMedia framework component.
The company has addressed the issue by enhancing the verification process for files sent to iTunes. Still, Windows users should make sure they’re using iTunes version 12.13.2 to stay protected. Additionally, they may consider running an antivirus scan.
Source of Article