Sounds more like AppleDoesntGiveAFuckAboutiTunesPlugins.
I think from their POV, as long as apps installed through the Mac App Store are safe (through the sandbox), what code you install (such as full-priviledge unsigned code and iTunes plugins) is up to you.
> The plugin folder is writable by current logged in user so a trojan dropper can easily load a malicious plugin
A trojan could also replace the iTunes dock icon with a fake iTunes that does the same thing. Once you're running unsigned code on the machine, all bets are off.
The problem here is that it's "just" a plugin. Think of the problem like malicious sites that target windows stating that you need to download a codec to view certain media. The casual user will not receive any sort of warning when they download it, and when itunes opens, they have the keys to the castle. Also, given that a lot of users use the same password for everything, getting the itunes user password means you have a good chance at snagging root at the same time.
Downloading the zip file linked to by the OP gives me a folder full of source code, not an "iTunes plugin". Even if it did give me a built plugin, I wouldn't have a clue what to do with it absent further instructions. This is a very poor demonstration of whatever they're trying to prove.
The README says "Copy to ~/Library/iTunes/iTunes Plug-ins to install."
So, they're expecting the "casual user" to copy a file to a hidden directory? Good luck with that.
I did a quick search for iTunes plugins. They all seem to come in some sort of executable installer, thus being subject to the ordinary warnings. The OP even suggests as much, with "a trojan dropper can easily load a malicious plugin". How does that "trojan dropper" get on the system?
This isn't a security hole, it's a wannabe scriptkiddy who wants to make noise.
It's a proof of concept showing a flaw in a core, non-sandboxed application. Someone with better social engineering and/or or someone interested in targeting specific people could turn this into something rather nasty
No, it's demonstrating (poorly) the ordinary functionality of application plugins.
The most iTunes could possibly do is display a warning dialog on unsigned plugins. Not a bad idea, perhaps, but its absence is hardly a flaw. You're already postulating sufficient social engineering that I can't believe the warning would stop anyone.
I'm saying once you download and run arbitrary native code, all bets are off. Hell, I just kind of assume any such code has full root access no matter what user it's started as, given the commonality of privilege escalation vulnerabilities.
No you dumb ass, I am expecting a malware dropper to copy it.
Where malware dropper can be any application that you download.
Now go reverse CoinThief different samples and learn a thing or two.
Thank you for confirming you're just an angry scriptkiddy looking to make a name for yourself. We all now know for certain that you can be safely ignored.
On the Mac, iTunes plugins are generic ".bundle" files that don't open iTunes when double-clicked, and need to be manually installed via drag-and-drop into the appropriate folder.
These .bundle files DO seem to circumvent the untrusted code warning dialog though, which I'd say is an actual vulnerability here.
I think from their POV, as long as apps installed through the Mac App Store are safe (through the sandbox), what code you install (such as full-priviledge unsigned code and iTunes plugins) is up to you.
> The plugin folder is writable by current logged in user so a trojan dropper can easily load a malicious plugin
A trojan could also replace the iTunes dock icon with a fake iTunes that does the same thing. Once you're running unsigned code on the machine, all bets are off.