In the past 6 months Apple has released 2 Security Updates for their Windows versions of Quicktime and iTunes addressing 52 vulnerabilities. Both of the Apple Security Bulletins released had vulnerabilities that could be used to exploit the rights of the logged on user. Here’s a breakdown of the updates released:
|% of Vulnerabilities with privilege exploits||48%|
Apple, unlike Microsoft and other software vendors Arellia has looked at, does not classify their Security Updates. Instead they lump many vulnerabilities into a single security update. Here’s a breakdown of the two security updates and the vulnerabilities with Privilege Exploits:
|Security Update||Vulnerabilities with Privilege Exploits||Total Vulnerabilities|
|Apple Quicktime Player||12||12|
100% of Quicktime’s vulnerabilities had privilege exploits, meaning that any malicious file opened in Quicktime by an administrator not using privilege management software could have their computer exploited with code running with their same rights to the system. 62.5% of iTunes vulnerabilities also had privilege exploits, however the exploits for iTunes would be more difficult to achieve because most of the exploits can only happen by injecting code as a middle man when a user is accessing the iTunes store. Regardless of how difficult it is to pull off an exploit though, any vulnerability that can exploit user privileges should be concerning. Privilege management software is a proven method to limit those privilege vulnerability exploits. Privilege management, unlike patching, limits both existing and unknown vulnerabilities from being exploited by always limiting the privileges of the application regardless of the user’s account type.
iTunes and Quicktime are unlikely to be deployed by IT in many organizations. The reality is that iTunes and Quicktime are probably on the majority of desktops due to the iPhone, iPad, and iPod that end users have. As such, many organizations are vulnerable to being exploited by vulnerabilities in this software.
Software vulnerabilities will be most dangerous to users and businesses if least privilege management best practices aren’t followed. Those best practices include removing administrative rights from end-users, running applications with restricted privileges, and securing administrator accounts. Privilege management software such as Arellia Application Control Solution and Local Security Solution can reduce the impact of vulnerabilities by securing the rights of applications and users.