The Computer Emergency Response Team (CERT-In) of India recently issued an advisory regarding two Apple iTunes vulnerabilities that were found in versions of the software prior to 12.12.9 for Windows. The two high-severity vulnerabilities, identified as CVE-2023-32353 and CVE-2023-32351, could allow hackers to gain elevated privileges to make undesired changes to a compromised system.
The vulnerabilities in Apple iTunes exist due to logic issues that allow a hacked system to perform unintended behavior. The Apple advisory suggests mitigation methods, but not much information has been shared about the vulnerabilities at this time. The Cyber Express contacted both the CERT-IN team and Apple for additional details regarding the vulnerabilities, and will update the report with any response received.
These Apple iTunes vulnerabilities are not the first high-severity vulnerabilities identified in Apple products. In fact, earlier this year, Apple addressed two zero-day vulnerabilities that were reportedly being exploited in the wild. These vulnerabilities affected iPhones, iPads, and Mac computers, with one vulnerability identified as CVE-2023-28206 and another as CVE-2023-28205. Both vulnerabilities were high severity, with base scores of 8.6 and 8.8, respectively.
Despite these recent Apple vulnerabilities, the top five exploited bugs in 2022 were not found in Apple products, but rather in Microsoft Exchange, Zoho ManageEngine products, and virtual private network solutions from Fortinet, Citrix, and Pulse Secure. The vulnerabilities were identified as Log4Shell, Follina, Atlassian Confluence Server and Data Center flaws, and ProxyShell.
The Log4Shell vulnerability can have a devastating impact on system security for millions of Java-based applications. The flaw found in older versions of a library named libxmlsec from the Apache Santuario open-source project, allowed for complete control of the device. Similarly, the high-severity bug identified in the Microsoft Office suite of products, Follina, allowed for remote code execution attacks, which could be thwarted if the user did not click on unsolicited and infected files.
Another critical-severity bug identified in 2022 was in Confluence Server and Data Center, which also allowed for remote code injection. Microsoft Exchange ProxyShell vulnerabilities enabled complete control of the Exchange Server and lateral movement, allowing hackers to exploit it for cryptocurrency mining. Although patches were released, they did not guarantee results, and users were urged to manually install updates if it did not upgrade automatically.
The need for timely vulnerability disclosure from major vendors, such as Microsoft, is imperative for users to be aware of vulnerabilities and take prompt action to patch updates. The 2022 report also highlighted that operating system vulnerabilities were the most common, amounting to 50.5%. This stresses the importance of timely actions from vendors and users in patching updates.
While vulnerabilities from previous years remain prominent, new shiny vulnerabilities are discovered each year, leading organizations to need to remain vigilant in their efforts to patch and update systems. With the continuous advancement in technology and the increased use of connected devices, it is more crucial than ever to prioritize cybersecurity measures.