40 Windows apps contain critical bug, says researcher

Separate patch required for each, says HD Moore, who declines to name affected software

About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, a security researcher said Wednesday.

The bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs, said HD Moore, the chief security officer of Rapid7 and creator of the open-source Metasploit penetration testing toolkit. Moore did not reveal the names of the vulnerable applications or their makers, however.

Each affected program will have to be patched separately.

Moore first hinted at the widespread bug in a message on Twitter on Wednesday. "The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell," he tweeted, then linked to an advisory published by Acros, a Slovenian security firm.

That advisory detailed a vulnerability in iTunes for Windows that hackers could exploit by persuading users to download and open a malformed media file, or by duping them into visiting a malicious Web site, where they would fall to a drive-by attack.

Apple patched the iTunes for Windows bug last March when it updated the music player to version 9.1. According to Apple, the bug does not affect Mac machines.

Acros' advisory insinuated that the vulnerability was in more than just iTunes. "Additional details are available to interested corporate and government customers under NDA, as public disclosure would reveal too many details on the vulnerability and unduly accelerate malicious exploitation," the warning said.

It would have been odd for Acros to note the possibility of exploitation if the bug was iTunes-only and had been patched months earlier.

Moore confirmed that the flaw "applies to a wide range of Windows applications," and added that he stumbled across it while researching the Windows shortcut vulnerability , a critical bug that Microsoft acknowledged in July and patched on Aug. 2 using one of its rare "out-of-band" emergency updates.

Moore declined to name the applications that contain the bug or to go into great detail about the vulnerability. But he was willing to share some observations.

"The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a 'safe' file type from a network share [either on the local network or the Internet]," Moore said in an e-mail reply to questions. "It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content."

Some of what Moore described was reminiscent of the attacks using the Windows shortcut vulnerability. For instance, hackers were able to launch drive-by attacks exploiting the shortcut bug from malicious sites via WebDAV, and could embed their exploits into Office documents, which would presumably be delivered to victims as seemingly innocuous e-mail attachments.

His advice until the vulnerable applications are patched was also taken from Microsoft's shortcut bug playbook.

"Users can block outbound SMB [by blocking TCP ports] 139 and 445, and disable the WebDAV client [in Windows] to prevent these flaws from being exploited from outside of their local network," Moore recommended.

Both workarounds were among those Microsoft told users they could apply if they were unable to apply the emergency update.

But although Microsoft was able to plug the shortcut hole with a patch for Windows, Moore was pessimistic that the company would be able to do the same with this vulnerability.

"Solving the flaw requires every affected vendor to produce a patch," he said. "There may be other workarounds available, but the core issue is with the application itself, not necessarily the Windows operating system. There may be fixes that can be applied at the OS level, but these are likely to break existing applications."

Microsoft did not reply to a request late Wednesday seeking confirmation of Moore's claims, and asking whether any of its applications contain the bug. According to Moore, at least one Microsoft executable -- "explorer.exe," the Windows shell -- includes the flaw.

Moore said that Rapid7 would release more information about the vulnerability next week, and added that an exploit module has been written for Metasploit but has not been released.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about app security in Computerworld's App Security Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags App SecurityApplesecurityWindowssoftwaretwitterMalware and Vulnerabilitiesoperating systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?