Apple has confirmed the presence of a critical security vulnerability in the iTunes application for Windows 10 and Windows 11 users, which could have allowed malicious attackers to remotely execute code arbitrarily. The vulnerability, identified as CVE-2024-27793, was discovered by security researcher Willy R. Vasquez from The University of Texas at Austin. This vulnerability impacts the CoreMedia framework, responsible for processing media samples and managing queues of media data within iTunes.
Apple typically does not disclose security issues until an investigation has been completed and a fix is available, and in this case, a fix has been released with the iTunes version 12.13.2 update. However, details about the vulnerability are limited at this time. The vulnerability applies to versions of the iTunes for Windows app prior to 12.13.2 and primarily affects users of the app on Windows 10 and 11 platforms. The security document published by Apple states that parsing a file could lead to unexpected app termination or arbitrary code execution.
The vulnerability allows an attacker to execute arbitrary code by triggering a maliciously crafted request during the file parsing process. It is important to note that the attacker does not require local access to the Windows machine in question, as the exploitation can be done remotely. The CVSS v3 critical rating of 9.1 out of 10 is primarily due to the possibility of remote code execution. The root cause of the vulnerability was identified as improper checks within the CoreMedia framework component, which Apple addressed with improved checks in the latest update.
According to the Vulnerability Database resource, CVE-2024-27793 can be exploited remotely with no authentication required, but it does necessitate user interaction for successful exploitation. This interaction could involve clicking on a link or visiting a site where the malicious file is processed by CoreMedia. The ease of exploitation and potential impact of arbitrary code execution highlight the severity of this vulnerability. Users are advised to update their iTunes applications to the latest version to protect themselves from potential attacks leveraging this security flaw.
