Morphisec, a company that specializes in data security, identified a coding mistake in Apple's iTunes for Windows software that allowed ransomware to bypass security measures. The vulnerability existed in the Bonjour component — Apple's zero-configuration networking protocol bundled with iTunes — and was being actively exploited by the BitPaymer ransomware group.
The Vulnerability: Unquoted Service Path
The flaw was what's known as an "unquoted service path" vulnerability. When a Windows service path contains spaces and isn't properly wrapped in quotation marks, Windows can be tricked into executing a different executable than intended. In this case, attackers could place a malicious executable in a location Windows would run before the legitimate Bonjour updater.
Because the Bonjour updater runs with elevated system privileges, the malicious code executed with those same elevated privileges — completely bypassing User Account Control (UAC) prompts and many antivirus solutions that inspect processes for suspicious privilege escalation.
BitPaymer Ransomware
The group exploiting this vulnerability used BitPaymer, a sophisticated ransomware strain typically deployed in targeted attacks against enterprises. BitPaymer operators manually infiltrate a network over days or weeks before triggering the ransomware, ensuring maximum spread before the encryption begins. Ransom demands in BitPaymer attacks typically range from $500,000 to several million dollars.
The Fix
Apple patched the vulnerability in iTunes 12.10.1 for Windows. All Windows users with iTunes installed — even if they don't actively use it — should update immediately. Bonjour may still be running as a background service even on computers where iTunes is rarely used.
This attack perfectly illustrates why software updates matter for every application, not just the ones you use daily. Landshark IT's managed services include automated patch management to close vulnerabilities like this promptly. Learn more about our cybersecurity services.