The Synopsys Cybersecurity Research Center (CyRC) has discovered CVE-2023-32353, a security vulnerability in Apple iTunes versions prior to 12.12.9 on Microsoft Windows.
The application creates a privileged folder with weak access control. CyRC says this makes it possible for a regular user to redirect this folder creation to the Windows system directory. This can then be leveraged to obtain a higher-privileged system shell. Exploitation of this vulnerability can lead to local privilege escalation on Windows, yielding system level privileges.
Apple has patched the vulnerability. However, iTunes users on Windows should upgrade to version 12.12.9 or later.
