Thursday, August 19, 2010

40 Windows Apps Contain Critical Bug, Says Researcher

Via -

About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, a security researcher said Wednesday.

The bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs, said HD Moore, the chief security officer of Rapid7 and creator of the open-source Metasploit penetration testing toolkit. Moore did not reveal the names of the vulnerable applications or their makers, however.

Each affected program will have to be patched separately.

Moore first hinted at the widespread bug in a message on Twitter on Wednesday. "The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell," he tweeted, then linked to an advisory published by Acros, a Slovenian security firm.


Moore confirmed that the flaw "applies to a wide range of Windows applications," and added that he stumbled across it while researching the Windows shortcut vulnerability, a critical bug that Microsoft acknowledged in July and patched on Aug. 2 using one of its rare "out-of-band" emergency updates.


Moore declined to name the applications that contain the bug or to go into great detail about the vulnerability. But he was willing to share some observations.

"The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a 'safe' file type from a network share [either on the local network or the Internet]," Moore said in an e-mail reply to questions. "It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content."


His advice until the vulnerable applications are patched was also taken from Microsoft's shortcut bug playbook.

"Users can block outbound SMB [by blocking TCP ports] 139 and 445, and disable the WebDAV client [in Windows] to prevent these flaws from being exploited from outside of their local network," Moore recommended.


Moore said that Rapid7 would release more information about the vulnerability next week, and added that an exploit module has been written for Metasploit but has not been released.


In Windows XP, the WebDAV client is a service that runs called "WebClient". By default, this service is set to "Automatic".

No comments:

Post a Comment