![]() ![]() It is not required to be a member of FIRST to utilize or implement CVSS, but FIRST does require any individual or organization give appropriate attribution while using CVSS. June 01, 2023: Synopsys publishes disclosureįIRST.Org, Inc (FIRST) is a nonprofit organization based out of U.S.November 24, 2022: Apple confirms vulnerability.Zeeshan Shaikh is a researcher with the Synopsys Cybersecurity Research Center. Affected softwareĮxploitation of this vulnerability can lead to local privilege escalation on Windows, yielding system level privileges.ĬVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Remediation After the installation, the first user to run the iTunes application can delete the SC Info folder, create a link to the Windows system folder, and re-create the folder by forcing an MSI repair, which can be later used to gain Windows SYSTEM level access. The iTunes application creates a folder, SC Info, in the C:\ProgramData\Apple Computer\iTunes directory as a system user and gives full control over this directory to all users. This can then be leveraged to obtain a higher-privileged system shell. ![]() It is possible for a regular user to redirect this folder creation to the Windows system directory. The application creates a privileged folder with weak access control. iTunes is a software program that acts as a media player, media library, mobile device management utility, and the client app for the iTunes Store. The Synopsys Cybersecurity Research Center (CyRC) has discovered CVE-2023-32353, a local privilege escalation vulnerability in Apple iTunes on Microsoft Windows. Synopsys Cybersecurity Research Center has discovered a local privilege escalation vulnerability in Apple iTunes on Microsoft Windows.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |