Zero-day Windows bug problem worse than first thought, says expert

'Most every Windows application' at risk, says Slovenian security firm that's working with Microsoft on fix

An unpatched problem with Windows applications is much worse than first thought, with hundreds of programs, not just 40, vulnerable to attack, a Slovenian security company said today.

"It was a shocking surprise," said Mitja Kolsek, CEO of Acros Security. "It appears that most every Windows application has this vulnerability."

Yesterday, American researcher HD Moore announced that he had stumbled on about 40 Windows applications with a common vulnerability, but declined to name the programs or go into detail about the bug.

Today, Kolsek said that Acros has been digging into a new class of vulnerabilities for months, has found more than 200 flawed applications harboring more than 500 separate bugs, and reported its findings to Microsoft more than four months ago.

In other words, the problem is much more widespread than Moore let on Wednesday.

"We examined a bunch of applications, more than 220 from about 100 leading software vendors, and found that most every one had the vulnerability," said Kolsek. Acros built a specialized tool to help its researchers pinpoint which applications were vulnerable.

According to Kolsek, the bug is in how most applications load and execute code libraries -- ".dll" files in Windows -- and executables, including ".exe" and ".com" files. He dubbed the class of bugs as "remote binary planting," and said the flaws could be easily exploited.

"The main enabler for this attack is the fact that Windows includes the current working directory in the search order when loading executables," he said. Hackers can use that to trick a wide range of Windows applications into loading malicious files, just as they normally do their own .dll or .exe files.

Most Windows applications rely on the functionality to operate, a problem that may prevent Microsoft from issuing a single patch. Although Microsoft could patch Windows to change the functionality, Kolsek at one point said he believed that such a fix could break scores of applications.

Later in the interview, however, Kolsek seemed to waffle. "I'm very confident that Microsoft will come up with a solution that will work fairly well for most people," he said. "But it's not going to remove the problem."

If Microsoft doesn't come up with a fix, application vendors may have to issue separate patches, a stance that Moore, the CTO of Rapid7 and creator of the open-source Metasploit penetration testing toolkit, took Wednesday. Another option may be for Microsoft to issue an update targeted at developers, who would then use it to patch their own code, a tactic used two years ago when it addressed a bug in the ATL (Active Template Library) code library.

Kolsek also said that he thought Microsoft would have some kind of solution sooner than later. "They'll do something very quickly," he said. He added that he wasn't privy to Microsoft's schedule.

One clue to a possible patch schedule is that Kolsek is slated to present a paper on remote binary planting at the DeepSec security conference, set to run Nov. 23-26 in Vienna, Austria. Because Acros and Microsoft have been in discussions about the vulnerabilities, one could assume any Microsoft-generated fix would ship before Kolsek steps on stage this fall.

Kolsek hinted today that Acros and Microsoft had intended to keep the problem under wraps for a little bit longer.

"But now that the cat is out of the bag..." said Kolsek, referring to Moore's disclosure Wednesday, he said there was no reason not to go public with a bare bones description of the problem.

That problem could be even bigger than Acros has pegged it, Kolsek admitted.

"We calculated that there are about 100 billion instances of this class currently exposing users," he said, explaining Acros came up with that number by assessing the market share of individual applications that contain the bug, then multiplying it by the global installed base for Windows.

"These vulnerabilities' critical impact and relative ease of exploitation present a serious threat to basically all Windows machines," Kolsek said.

Acros plans to publish more information on the vulnerability class soon.

Microsoft declined to comment further about the vulnerabilities, and instead referred to a statement it provided Computerworld earlier today, in which it confirmed it was investigating.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about app security in Computerworld's App Security Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityMicrosoftoperating systemssoftwareWindowsApp Security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?