Security researchers with Morphisec are warning the BitPaymer ransomware actors have been exploiting a security flaw in the Bonjour updater for the Windows version of Apple iTunes in order to avoid detection by anti-malware solutions on targeted systems.
Bonjour contains an “unquoted path vulnerability,” that can enable threat actors to let the app run malicious files. Simply put, if a path name containing a space does not have quotes around it, Windows will run only the first word in the path, before the space. Morphisec CTO Michael Gorelik explained that “in this scenario, Bonjour was trying to run from the ‘Program Files’ folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named ‘Program.'” Apple has released a fix for the issue. However, users who have removed iTunes from their system without also deleting Bonjour, will still have a vulnerable instance on their system, probably without realizing it.
Read more: Flaw in iTunes for Windows Abused for Ransomware Attacks