The Computer Emergency Response Team (CERT-In) of India issued an advisory addressing two Apple iTunes vulnerabilities. The bugs were found in Apple iTunes versions prior to 12.12.9 for Windows. They were CVE-2023-32353 and CVE-2023-32351.
Two vulnerabilities in Apple iTunes
The two high-severity Apple iTunes vulnerabilities can allow hackers to gain elevated privileges to make undesired changes to the compromised system. These vulnerabilities exist due to logic issues that allow the hacked system to perform unintended behavior.
Mitigation methods were mentioned in an Apple advisory. Not much has been shared about the Apple iTunes vulnerabilities as of now.
The Cyber Express has reached out to the CERT-IN team and Apple for additional details regarding the the Apple iTunes vulnerabilities. We will update this report after receiving their response.
Vulnerabilities exploited in the wild
Apple recently addressed two zero-day vulnerabilities that were reported to be exploited in the wild. The two Apple vulnerabilities were in iPhone, iPad, and Mac.
CVE-2023-28206 was a high-severity bug with a base score of 8.6. And, CVE-2023-28205 was also a high-severity Apple vulnerability with a base score of 8.8.
Top 5 Most Exploited Vulnerabilities
The top five exploited bugs in 2022 were found in Microsoft Exchange, Zoho ManageEngine products, and virtual private network solutions from Fortinet, Citrix, and Pulse Secure.
The bugs were Log4Shell, Follina, Atlassian Confluence Server, and Data Center flaw, and ProxyShell, according to reports.
- Log4shell: The full scope of the exploitation of the Log4Shell vulnerability has not been determined yet. However, it can cause a devastating impact on the system security of the millions of Java-based applications.
- Zoho ManageEngine products: This vulnerability was located in older versions of a library named libxmlsec from the Apache Santuario open-source project. “When ManageEngine issued its advisory on January 10, researchers from Horizon3.ai investigated it and reverse-engineered the patch to create a working proof-of-concept exploit,” a CSO Online report Several conditions for exploitation were found through this vulnerability. The flaw allowed complete control of the device. Patches were released by the vendor, however, it was still exploited.
- Follina: The high-severity bug in the Microsoft Office suite of products allows remote code execution attacks. However, the exploitation may be thwarted if the user does not click on unsolicited and infected files.
- Atlassian Confluence Server and Data Center vulnerability: This critical severity bug in Confluence Server and Data Center also allowed remote code injection. “All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability,” a company advisory stated.
- ProxyShell: Exploiting the Microsoft Exchange ProxyShell vulnerabilities allowed complete control of the Exchange Server and lateral movement. ProxyShell which is a set of three vulnerabilities was offered patches by Microsoft in 2021. However, early in February this year, a malware called ProxyShellMiner was found exploiting it for cryptocurrency mining.
Released patches do not guarantee results and users are urged to manually install updates if it does not upgrade automatically.
Reiterating the same, a Tenable research read: “Perhaps most alarming is that, alongside the plethora of shiny new vulnerabilities discovered in 2022, the vulnerabilities of years past continue to haunt organizations. In fact, flaws dating back to 2017 were so prominent this year that we felt they warranted the number one spot in our list of top vulnerabilities of 2022.”
The report also stressed the need for timely vulnerability disclosure from major vendors which mars prompt patch installations from users.
Especially for a company like Microsoft, it becomes imperative that vulnerabilities are addressed and disclosed for users to be aware of.
Moreover, in 2020, browser-based vulnerabilities topped the list with 35.7% which transitioned to 30.5% in 2021.
In 2022, operating system vulnerabilities were found the most amounting to 50.5% which stresses on the need for timely actions from the vendors and users in patching updates.
