Update: 40 Windows apps contain critical bug, says researcher
Separate patch required for each, says HD Moore, who declines to name affected software
Computerworld - About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, a security researcher said Wednesday.
The bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs, said HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit. Moore did not reveal the names of the vulnerable applications or their makers, however.
Each affected program will have to be patched separately.
Moore first hinted at the widespread bug in a message on Twitter on Wednesday. "The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell," he tweeted, then linked to an advisory published by Acros, a Slovenian security firm.
That advisory detailed a vulnerability in iTunes for Windows that hackers could exploit by persuading users to download and open a malformed media file, or by duping them into visiting a malicious Web site, where they would fall prey to a drive-by attack.
Apple patched the iTunes for Windows bug last March when it updated the music player to Version 9.1. According to Apple, the bug does not affect Mac machines.
Acros' advisory insinuated that the vulnerability was in more than just iTunes. "Additional details are available to interested corporate and government customers under NDA, as public disclosure would reveal too many details on the vulnerability and unduly accelerate malicious exploitation," the warning said.
It would have been odd for Acros to note the possibility of exploitation if the bug was iTunes-only and had been patched months earlier.
Moore confirmed that the flaw "applies to a wide range of Windows applications," and added that he stumbled across it while researching the Windows shortcut vulnerability, a critical bug that Microsoft acknowledged in July and patched on Aug. 2 using one of its rare "out of band" emergency updates.
Moore declined to name the applications that contain the bug or to go into great detail about the vulnerability. But he was willing to share some observations.
"The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a 'safe' file type from a network share [either on the local network or the Internet]," Moore said in an e-mail reply to questions. "It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content."
Some of what Moore described was reminiscent of the attacks using the Windows shortcut vulnerability. For instance, hackers were able to launch drive-by attacks exploiting the shortcut bug from malicious sites via WebDAV, and could embed their exploits into Office documents, which would presumably be delivered to victims as seemingly innocuous e-mail attachments.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Riverbed Stingray Application Firewall: Securing Cloud Applications with a Distributed Web Application Firewall Responsibility over IT security is moving away from the network and IT infrastructure and to the application and software architecture itself. IT organizations...
- Web Application Firewalls--Laying the Myths to Rest This paper addresses some of the myths about WAFs and outlines how businesses are optimizing their investment in protecting their ever-evolving web apps.
- PCI DSS Compliance in Cloud Environments This technology analysis addresses the challenges of the evolving cloud security landscape and how organizations can achieve PCI DSS compliance in cloud environments...
- Web Attack Survival Guide This guide will help you protect your organization from external threats targeting your high-value applications and data assets.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Application Security White Papers | Webcasts