iTunes says 'Bonjour' to Ransomware as attackers exploit Zero-Day

[exile360]

UPDATE:  New details have come to light indicating that it was the Apple Software Update component affected by this vulnerability NOT Bonjour.  Please refer to the information in this article for details.

A recently patched 0-day in the cloud component of iTunes known as 'Bonjour' was compromised by attackers to deploy ransomware to unsuspecting victims running the Apple software on Windows devices.  Apparently the vulnerability was the result of a very minor mistake in the code for the service where the programmer failed to use quotes to enclose the path for a pointer to a file which allowed the bad guys to manipulate the software to have it launch malicious code, bypassing detection by many AVs since iTunes is a generally trusted digitally signed application.

Thankfully the vulnerability has been patched, but this in my opinion highlights the need for users to be more cautious about the software that they let onto their devices and allow to run in the background constantly and on system startup (both of which Bonjour does by default, because apparently Apple thinks that you have nothing better to do with your system besides hosting iTunes and downloading music).  Sadly such is par for the course these days as marketers at companies vie for engagement with their user base in an attempt to boost sales through increased user interaction, even if that interaction is forced by not giving them an option as to whether or not the software they are installing will run constantly in the background and do things like add a new icon to their notification area, display alerts and marketing messages (which is adware, at least in my opinion), and regardless of how slow it might render a user's device and delay their boot times (one of the chief complaints by many when purchasing an off-the-shelf pre-built system thanks to all of the helpful 'value-add' applications that often come bundled 'for free' with such systems out of the box and which has become known throughout the tech community as 'preinstalled bloatware' and 'crapware' which should give you a sense of how highly these practices are regarded; and for the record, Malwarebytes classifies many of these as PUPs, and ADWCleaner has recently been augmented to specifically target many of these useless preinstalled applications deliberately in order to return control and performance of users' systems to where they belong: in the hands of the users themselves).

Anyway, you can read more about the iTunes 0-day incident here, and you can find Malwarebytes ADWCleaner (which is completely portable and doesn't install anything on your machine ) here.

Oh, and just for the record, I never have and never will use iTunes, and whenever I see the Bonjour service on a system I'm working on, I generally recommend that the user disables it with Autoruns if they don't absolutely need its cloud/streaming functionality because it's a waste of resources, like most of the 'helpful' applications that run in the background on our systems after installing software that we only use on occasion for a specific purpose.  Apple aren't the only ones doing this, so I don't want anyone to think I'm only picking on them.  Many companies do this and it's shameful.  Computers are faster and more powerful than they have ever been, yet many of them perform about as well as the earliest devices released with Windows Vista (which was actually a decent OS in my opinion; the hardware and drivers just weren't ready for it when it came out) which is inexcusable in my opinion.  It makes me glad that vendors like Malwarebytes exist to provide useful tools to eliminate some of this unwanted rubbish from our devices, especially for those among us who aren't versed in how to use more advanced utilities like Autoruns to eliminate them manually and don't know what is safe to uninstall and what is not.

Edited October 20, 2019 by exile360

[Hyperwolf122]

Sorry if this needs to be in another topic but a drawing software I use, uses bonjour, am I safe? I haven't turned the computer on since the exploit and I don't have iTunes. 

[exile360]

It's possible that it is vulnerable if it uses the same version of Bonjour that ships with iTunes.  I'd suggest checking the developer's website for your drawing software to see if they have any patches/updates available for it.

[Hyperwolf122]

Will do! I never see it running in the task manager however. Hopefully it isn't the same version that comes with iTunes 

[exile360]

You can check services.msc to see if it is listed there and see if it is running or not.  That's likely the easiest way to determine if it is installed and if it is active.

[Hyperwolf122]

Will do! If it is vulnerable is there somehow any precautions I should take? I'm hoping Windows Defender will detect it since I don't have premium malwarebytes as of now. 

[exile360]

I have no idea, but installing the latest Malwarebytes Anti-Ransomware Beta and Malwarebytes Anti-Exploit Beta would probably be a good idea, just keep in mind that installing Malwarebytes Anti-Ransomware Beta will remove Malwarebytes free from your system because the two programs use different versions of the same components so both cannot be installed at the same time.  Malwarebytes Premium includes Anti-Ransomware and Anti-Exploit in addition to its other components so that's also an option if you do decide to upgrade.

[Hyperwolf122]

I luckily have anti exploit installed on my system, thanks for informing me with this all

[exile360]

You're welcome, I'm glad to be of service  

[David H. Lipman]

So far I can't find a Common Vulnerability and Exposures listing in Apple Bonjour for what's been purported.

Edited October 11, 2019 by David H. Lipman

[exile360]

I found more details in this article and Apple themselves reference the vulnerability which was reported to Apple by Morphisec Labs in their acknowledgements for their software updates here, here, and here.

It doesn't appear to have a CV# at the moment, but that's likely due to the fact that it was reported more recently and has already been addressed in a patch.  I don't know what the procedure is in situations like this, but I'm guessing they either will issue a CV later or they'll just put it to rest as it was fixed so quickly (though I don't know what the impact is on third party solutions that use Bonjour as mentioned above, so it may still warrant further tracking and documentation).

[mountaintree16]

Oh damn, I don't have iTunes at the moment, but good information to have.

That's scary!  I would always disable or uninstall it when it was on my computer or a computer that I was using; I always thought it was pointless and why was it running all the time -_-

[AdvancedSetup]

https://blog.morphisec.com/apple-zero-day-exploited-in-bitpaymer-campaign

Quote

10/11/19 Update: During revalidation of the exploit, and as we continue to work with Apple on further vulnerabilities that have yet to be patched or announced, we observed that the abused vulnerability relates specifically to an Apple Software Update component that is not associated with Bonjour. 

 

[exile360]

Cool, thanks for the update Ron  

I've updated my initial post accordingly.

Edited October 20, 2019 by exile360