40 Windows Apps Said To Contain Critical Bug 158
CWmike writes "About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, says HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit. Gregg Keizer reports that the bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs. Moore did not reveal the names of the vulnerable applications or their makers, however. Each affected program will have to be patched separately. Moore first hinted at the widespread bug in a message on Twitter on Wednesday. 'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted, then linked to an advisory published by Acros, a Slovenian security firm."
The Parrot says it best. (Score:4, Funny)
http://www.youtube.com/watch?v=wxlhyX-4qKI [youtube.com]
Re: (Score:3, Informative)
Thanks... you just made my day.
Only 40? (Score:2, Insightful)
Only 40? That's definitely an improvement over the 7 year old Linux exploit that was only just fixed where any GUI app could gain root access.
Re: (Score:2)
Re: (Score:3, Insightful)
Technically, any GUI app could gain root access, but this doesn't mean a computer running trusted applications (I trust the apps I run to not gain root and mess with my system) could be exploited without another bug.
Still probably doesn't compare, and still very bad, but let's not turn it into a bigger scare than it really is.
Re:Only 40? (Score:4, Insightful)
The problem is - trusted applications can have holes too.
I mean, many people trust iTunes, and that was one of the apps with the holes (admittedly fixed).
Are you 100% certain ALL of your trusted applications don't have holes, and the versions you ran in the last 7 years didn't have holes?
The GUI issue was a HUGE problem - however it is/was fixed, which is the important part.
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
makes sense because the native registry/file virtualization is provided by MICROSOFT, and this being slashdot, the mantra is "anything windows does, a third party app does better, because M$ SUCKS!!!", unless it's "shitty iTunes bloatware for windows".
Re: (Score:3, Interesting)
Re: (Score:2)
Yo dawg, we heard you like virtualization, so we virtualized your virtual host so you can virtualize while you virtualize.
Really? (Score:5, Funny)
Just 40?
Re: (Score:3, Funny)
Well now, I think the real question is how many *aren't* made by Adobe?
Re: (Score:2)
That was my thought. Microsoft issued a hotfix for Visual Studio 2008 last year that corrected a security vulnerability in their ATL libraries. (This is the same hotfix that, if you installed it and VS2008's SP1 in a bad sequence, you'd screw over the install. I was up all night on that one. *sigh*)
The problem? This security vulnerability was in a C++ template, which means that the bug is stuck permanently within any program compiled against it. It's not like the CRT or MFC shared libraries which can be rep
No, 200 now (Score:2)
According to The Register article, it is 200 now and counting. In fact, 40-200 etc. happens because downloading/testing software takes time, not anything else :)
Re: (Score:2)
Since when is the fact that programs have bugs news.
Being a programmer is almost as depressing as being a meteorologist. People use your services/products on daily bases but only remember you when you get things wrong.
Also making a bug free application is almost as hard as making a faultless weather prediction for an entire month.
I don't know why we,programmers and meteorologist, even try (though programmers also catch and throw).
Nit-picking about "bugs." (get it? Har har har.) (Score:2)
So little detail... (Score:5, Insightful)
So there are forty unknown applications with an unknown flaw that results in code execution. This sounds like it includes web browsers (given the references to 'viewing a web page' in the article), but it doesn't specify which. It also doesn't specify what sort of file(s) (except in the case of iTunes -- a 'media file') are affected.
So what're we supposed to do? There's no detail here, not even cursory detail, on what filetypes or applications to avoid. I'm fine with no details on the innermost workings of this exploit being widely disseminated, but why announce it with such fanfare if there's not even a way to avoid exposing yourself (i.e., listing these supposed '40 applications')?
Re:So little detail... (Score:4, Funny)
There's no detail here, not even cursory detail, on what filetypes or applications to avoid.
Presumably anything that runs on Windows would be a good first approximation.
Re: (Score:3, Informative)
The article does mention that blocking WebDAV and SMB at your perimeter router will at least prevent the exploit coming from outside your network, though I agree that in general it seems long on FUD and self-congratulation and short on useful content.
Re:So little detail... (Score:4, Informative)
Slight self-correction: blocking SMB at the router and disabling the WebDAV client on all Windows machines. Still, there's a mitigation that should work for most people.
Re: (Score:2)
Verizon doesn't block SMB on residential connections anyway? I know Comcast does. As far as disabling WebDAV, the article links to a Microsoft security bulletin that - among other things - contains instructions for doing that.
The sad truth is that most people won't even know the security problems exist, even after there are fixes available for them. People who actually care about these things are already a rarefied group among Windows users.
Re: (Score:3, Informative)
This is notable because it is coming from HDM, a fellow with an excellent reputation who will no-doubt release an easy-to-use exploit (with Metasploit) after app developers have had a chance to patch.
Blaming him? (Score:2)
Look this way, http://www.securityfocus.com/bid/1699/discuss [securityfocus.com]
10 years earlier, Kaminsky reported it very polite and decently and obviously he didn't release an exploit. Did it change anything other than being ignored by MS?
Even Apple as far as I know (and don't like) would stay open at weekend if someone found an issue like that on OS X, until they release a fix. MS doesn't even respond to well known technical news sites run by reporters, not some no name bloggers.
What we're suppose to do (Score:2, Insightful)
So what're we supposed to do?
Run around like headless chickens predicting the end of Microsoft, and Windows, rant and rave about the virtues of Linux, how there are no Linux viruses and how any year now it will be the year of the desktop, and generally feel smug.
You're new here, aren't you?
Re: (Score:2)
Re: (Score:2)
So what're we supposed to do?
Panic! Ha ha, just kidding.
As far as I can tell, you are supposed to click on the advertisements in the article.
Re: (Score:2)
A path searching issue exists in iTunes. iTunes will search for a specific DLL in the current working directory. If someone places a maliciously crafted file with a specific name in a directory, opening another file in that directory in iTunes may lead to arbitrary code execution. This issue is addressed by removing the code that uses the DLL. This issue does not affect Mac OS X systems. Credit to Simon Raner of ACROS Security for reporting this issue.
This was the issue he reported in iTunes. Presumably, the same issue exists in other applications. However, it is only exploitable if a remote attacker is able to write the malicious DLL to the directory. Thus, securing any remotely accessable storage will prevent this attack.
Re: (Score:2, Funny)
This sounds like it includes web browsers (given the references to 'viewing a web page' in the article)
Sounds like flash to me. It's always flash.
That is why you should be afraid (Score:2)
Issue has so big evil potential that, they are afraid to tell the exact details. You can be sure black hats are all over the private forums, google and irc to figure out what this thing could exactly be.
What pisses me off is, it was later "tweeted" to be a 10 year old, reported bug, in official way (Bugtraq) and 3-5 kernels and explorers later, there was nothing done against it.
http://www.securityfocus.com/bid/1699/discuss [securityfocus.com]
See the reporter? That is one of the most respected white hat hackers, especially in W
how can we trust (Score:2, Insightful)
What a load of crap. On the other hand, I have found a virus that will immediately destroy your computer if you don't send me 1 million dollars.
Re: (Score:2)
How can you trust someone who finds a big bug, but won't say exactly what it is, and have a miraculous cure for it.
Same way you can trust me! Speaking of which, can I interest you in some snake oil?
Re: (Score:2)
Re: (Score:2)
Then why announce it to the general public at all ?
If the manufacturers are fixing it, then what's the problem ?
This is just a case of the l33t h4x0r shouting "look how big my balls are, I can tell vendor X,Y,Z what to do", with the hidden undercurrent of "if they don't then I'll fuck them up good by releasing the data to the world".
He tweeted... (Score:5, Funny)
'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,'
That sounds really bad!
'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted
Oh, doesn't seem so bad now...
Re: (Score:2, Informative)
Re:He tweeted... (Score:4, Funny)
@goofyspouse (817551): mind if I re-tweet this?
Hackers love to tweet (Score:2)
Twitter is loved by people who has something to say, in short and hates the idea of "blogging" or facebook.
You can be sure that the actual security issue will be released in traditional .txt form.
I don't have a twitter account.
Re: (Score:2)
Twitter is loved by people who has something to say, in short and hates the idea of "blogging" or facebook.
You mean the kind of people who can't form a coherent sentence, who cannot concentrate on one conversation at a time so they follow 20 or 30, just chipping in with useless non-contributions like "I know" and "Oooo, that happened to me too".
Twitter is the digital equivalent of old ladies standing on their doorsteps exchanging "he said, she said" gossip with their doorstep dwelling neighbours.
Only 40? (Score:2)
Shared Objects / Dynamically Linked Libraries (Score:5, Interesting)
I was under the impression that very few Windows applications were statically compiled... so why can't this just be updated in whatever shared object it uses again?
I know he says
but what and why?
Re: (Score:3)
I agree - a remedial patch SHOULDN'T break the existing applications (and if Microsoft applied it, that would just give the vendors pressure to update their apps! What a role reversal, anyways) - but in case you haven't noticed, a lot of Microsoft's "Fixes" actually "break" functioning operations.
All in the name of security.
Re: (Score:2)
Wow, in one post you managed to present both the common sense notion that MS shouldn't care if they break insecure applications, and the most common objection to that notion - that people will blame MS even if it's the other guy's bad application at fault.
Re: (Score:2)
Even the safest APIs can be used stupidly. If the library code is correct but people are calling it in an unsafe manner, there's not a lot that can be done about that. Making changes to library code also requires an immense amount of regression testing. Some programs may be using an API unsafely, but in a non-attacker-controllable manner; those programs may technically have bugs but they run correctly (and securely) now, and if the library code were changed to prevent whatever they're doing those programs w
Re: (Score:3, Informative)
I was under the impression that very few Windows applications were statically compiled... so why can't this just be updated in whatever shared object it uses again?
Because to avoid dependency hell and to compensate for the lack of package management, Windows applications come with private copies of the DLL's they need. If a flaw hits a common library like a JPEG parser you have to go through the file system looking for vulnerable versions and hope all the versions you have installed have fixes available. Or just wait till each application vendor gets around to issuing a patch for their particular application.
Re: (Score:2, Interesting)
Because it's an API change.
If you read the linked description, it says that the problem relates to opening files from remote places. With some Win32 API knowledge, you can derive that the problem is:
- DLL loading [microsoft.com] looks into the process working directory for DLLs (i.e. getcwd())
- Some applications change the working directory to the place where the files they attempt to open reside
- If the malicious actor places a DLL in the same directory as the file to be opened, they can win the race against the applicat
Re: (Score:2)
You can choose to include certain libraries statically (so you include the binary code) or dynamically (so you have a reference to a .dll). You can also use the OS to dynamically load a library on-demand so that it is neither opened nor initialized until it is needed. For example, MFC has its own radio button in MS Visual Studio - do you want it static or dynamic? I believe the C runtime (msvcrt.dll) has the same choice but can't be bothered opening it to check. Plus, if it's only an estimated 40 apps,
Well.. (Score:2)
Each affected program will have to be patched sepa (Score:2)
"Each affected program will have to be patched separately."
And this is why Linux package managers that know how to handle shared library dependencies are better than one-click installers that bring along their own versions of the libraries.
how do we check for all remotely loaded DLL loads (Score:2)
Re: (Score:2)
People do run applications from network shares. But if you want to keep people on your machine from running executables from remote locations, I think you can set up a software restriction policy with an appropriate path rule and with the global settings set to check DLLs too.
I would guess that the problem isn't that reading a data file causes a DLL to be automatically "sucked in" from that location, but that the application sets the current working directory to that location, causing subsequent DLL loads t
First Hand Information is Priceless (Score:2, Informative)
Re: (Score:2, Informative)
http://it.slashdot.org/story/10/08/18/1534258/Linux-Xorg-Critical-Security-Flaw-Silently-Patched?from=rss [slashdot.org]
Re:I Wish I Had the Luxury of Worrying About This. (Score:5, Interesting)
Then worry about this:
Yeah, I'm far more worried about a _fixed_ exploit that requires I install a malicious GUI app than an active exploit that just requires I open a malicious Word document.
Re: (Score:2, Insightful)
Just because a patch was issued doesn't mean every single system was patched and that there won't be countless people still running a vulnerable version.
Re: (Score:2)
.. and that's better than the unpatched issue we're discussing how?
Re: (Score:2)
No, of course not and I wasn't implying such a ridiculous thing either. But to act as if just because there is patch out that the issue is now non-existent is silly. It's no different to back when code red was a big problem. Even after Microsoft pushed out a patch, for many months after there were still people spreading the infection due to not updating their systems.
Re: (Score:2)
Ah, sorry for misreading you :)
Re: (Score:2)
Just because a patch was issued doesn't mean every single system was patched and that there won't be countless people still running a vulnerable version.
Dude--I use 'cssh'. Every system was patched--and it was done simultaneously to boot.
Re: (Score:2)
Sure, maybe Joe Sixpack is dumb enough to install a random 'Naked Chicks Screensaver' that exploits a Linux bug, but the vast majority of people only install software from their Linux distro, which they have little choice but to trust.
Well hopefully that distro didn't download the trojaned version of unrealIRCD that it's own developers didn't realize someone had switched. Or are the developers of that program and anyone who trusted that what they were sharing wasn't trojaned are just "dumb Joe Sixpacks"?
Re: (Score:2)
If your distro is installing malicious software on your system, then you have much more to worry about than an X-server bug.
Re: (Score:2)
You assume they would be doing it purposefully which isn't necessarily true. In the case of unrealIRCD not even the developers of the program knew that the version they were serving had been switched to a version with a trojan in it until months after they had been serving the files.
Re: (Score:2)
In the case of unrealIRCD not even the developers of the program knew that the version they were serving had been switched to a version with a trojan in it until months after they had been serving the files.
Yeah, one tar file on one server had been hacked. If your distro is downloading random unauthenticated tar files (no signature, not even a checksum) and shipping them out to end-users then you have much bigger problems than a random X-server exploit.
Re: (Score:2)
If your distro is downloading random unauthenticated tar files (no signature, not even a checksum) and shipping them out to end-users then you have much bigger problems than a random X-server exploit.
Because downloading a file from the official of the program is equivalent to downloading a random file from an untrusted server? lolwut?
Re: (Score:2)
Also, where else do you expect a distro developers to download the source code for a program if not from the official upstream developer themselves (which is where the trojaned version was pulled from)?
Re: (Score:2)
official website*
Re: (Score:2)
Just to further elaborate, there is nothing in the case of the Xorg exploit that says that the vulnerability in the program that allows the someone to use the exploit has to have been put in their purposefully. So this whole notion about distros and their package managers is just a big red herring.
Re: (Score:2)
I honestly don't see why you seem to think that the XOrg vulnerability has something to do with your software updater, rather than being one where any GUI app run by any user can run anything as root.
Re: (Score:3, Interesting)
For the record, I am a Fedora user, not a Windows user. I am willing to acknowledge when there is a security problem. I am glad it was fixed, but that does not imply that it was not a real problem.
Re: (Score:2)
The part where an exploit that allows malicious programs to be run without the user's knowledge? Or did you think there were no such exploits?
So in order to exploit this exploit you need to make up another exploit which already allows them to do anything on my PC with my user privileges, which means that they've already installed a keylogger in Firefox and stolen my bank passwords and I no longer give a flying monkey turd about whether they've trashed my OS.
How far down this 'but what if there was another exploit too!' rabbit-hole do you intend to run?
Re: (Score:2)
Why are you downplaying the significance of this attack?
Re: (Score:3)
So in order to exploit this exploit you need to make up another exploit which already allows them to do anything on my PC with my user privileges, which means that they've already installed a keylogger in Firefox and stolen my bank passwords and I no longer give a flying monkey turd about whether they've trashed my OS.
No. In fact, for example, a maliciously-formed PDF file opened in a PDF reader, even if that reader is run in a sandbox, can be used to gain root through the exploit.
Re: (Score:2)
You might as well give up. Anything you say is going to be thrown back at you with in some ridiculous caricatured form in order for him to dispute it.
Re: (Score:3, Interesting)
Exploitable != Malicious. A system without stack protection is an accident waiting to happen. You should read up on how stack protections [wikipedia.org] eliminate an entire class of exploits, and how subtle exploitable code really is. Even the .NET compiler includes stack protection. I have no idea why Linux has not adopted the use of ProPolice across the board.
My previous response was not a troll; it was based on years of experience running Windows, Linux, Mac and BSD machines. Linux is the most brittle of all of the sys
Re: (Score:2)
Which part of 'the only way the average Linux user is going to be running malicious software is if their distro ships it to them' is proving so hard for Windows users to understand?
What you're saying is that Linux is totally bulletproof, as long as you run it as much as possible like an iPhone -- trusting only applications that your OS provider says are okay, and that it's not reasonable to examine it in a situation where that's not the case.
So yeah, I can understand why some people would have a hard time m
Re: (Score:3, Insightful)
What you're saying is that Linux is totally bulletproof, as long as you run it as much as possible like an iPhone -- trusting only applications that your OS provider says are okay, and that it's not reasonable to examine it in a situation where that's not the case.
How is installing applications from the repos anything like using an iPhone? With Linux, I can install any application I want from anywhere I want as long as it's compatible (just like most other OS's). I can compile from source, write and run my own code on it, whatever floats my boat. I and most other Linux users get most of our software from the repositories because 99 percent of anything you'd want to install is in there and the packages in the repos are generally well tested to work with the system
Re: (Score:2)
How is installing applications from the repos anything like using an iPhone? With Linux, I can install any application I want from anywhere I want as long as it's compatible (just like most other OS's). I can compile from source, write and run my own code on it, whatever floats my boat.
Correct. However, the poster I was responding to was insisting that if you did any of that and got some malware, it was your own fault and that Linux couldn't be expected to run securely if you ever ran something that didn't
Re:I Wish I Had the Luxury of Worrying About This. (Score:4, Insightful)
It really was not a trivial, uninteresting bug. It was a serious security problem for desktop Linux users that had been around for years.
Re: (Score:2, Funny)
But...but...those are clearly just dumb Winblows users!!! HURP DURP!!!
Re: (Score:2)
You are assuming that was the ONLY flaw in Linux...
Not a safe assumption. If that has been around for 7 years, what else could there be?
I'm certainly not saying Linux is less secure than Windows (I'm pretty sure the opposite, in fact, is true), however that doesn't mean that you are safe on that high horse of yours.
Re:I Wish I Had the Luxury of Worrying About This. (Score:4, Insightful)
You misunderstand. The Xorg bug doesn't require a malicious GUI app; it just requires a perfectly normal GUI app with an exploitable vulnerability. So if OpenOffice.org (or Acrobat Reader, or Firefox, or any other document viewer) has a flaw which can be exploited by a malicious document, the Xorg bug turns that into a privilege-escalation vulnerability, circumventing not only the normal permission mechanisms but also tools such as SELinux sandboxes (which protect against malicious code running in the sandboxed user application, not the X server).
Re: (Score:3, Funny)
They fixed a bug in the Linux kernel? I'm worried now.
Re: (Score:2)
Re: (Score:3, Insightful)
http://www.archlinux.org/packages/core/i686/kernel26/ [archlinux.org]
Patched on 8/13, new kernel package on 8/14. I'm not concerned. And slower-updating distros generally have a security team to patch these kinds of things into their current kernel release.
Re: (Score:3, Insightful)
Don't run X as root. Who does that these days?
KMS, bitches.
Re: (Score:3, Interesting)
Don't run X as root. Who does that these days?
Probably quite a few. Not everyone is running a version of the 2.6 kernel that has KMS.
Re: (Score:2, Informative)
Who? People that run proprietary drivers from Nvidia or ATI do. So do people that use drivers from less popular vendors that don't yet have KMS in their drivers (KMS is not in every open driver yet). It's enough to stop most distros from shipping with X running as another user.
Re: (Score:3, Interesting)
Actually, even though Nvidia does not support KMS their drivers do support running X as a normal user. Users of the ATI proprietary drivers are SOL.
Using KMS does not automatically remove the root requirement. For example, Ubuntu uses KMS drivers for many cards currently, but one of the big improvements for 10.10 will be to run X as a normal user with some drivers.
Re: (Score:2, Informative)
There are many reasons to use Linux, but better security is not one of them. If you still believe this, put up a Linux server completely exposed to the Internet, and broadcast all over IRC that your server is badass and can't be hacked. It is a common misconception among Linux zealots that Linux doesn't have the security issues that Windows does, but mostly it's because its less popular, and very few exploit writers target Linux machines. In fact, even though ProPolice has been around for years, many Linux
Re:I Wish I Had the Luxury of Worrying About This. (Score:4, Insightful)
I'd say that putting any OS on the Internet without a reasonable firewall is a poor idea, the exception being a laptop [1] just out of necessity. Yes, most operating systems are hardened, but what brings the bugs are the applications that run on them. This is why having a hardened machine with as little running on it as possible is essential between the general purpose computers and the rest of the Internet.
[1]: I have seen tiny embedded Linux adapters just bigger than an Ethernet plug. Why can't laptop makers build a tiny firewalling router into one of those and mount it on the motherboard? This way, it doesn't matter what OS is, attacks from remote will be minimized, and one could configure it to disallow outgoing ports (such as port 25) that the laptop shouldn't ever need to go out on. I'm sure similar functionality can be done for Wi-Fi. As an added bonus, if a machine gets DoS-ed, it won't be the main CPU that has to sort out the offending packets, but the one on the built in firewall.
Re: (Score:3, Informative)
but better security is not one of them.
And you'd be wrong. Even with a directly connected Linux box it takes someone manually targeting that machine. As far as I know, no one has successfully automated *nix hacking and certainly not any kind of effective drive-by attack. Even if the automated attack gets a foot in the door, they still have to manually find a way to escalate privileges.
If you still believe this, put up a Linux server completely exposed to the Internet, and broadcast all over IRC that
Re: (Score:2)
I'm sure you could get these running under Wine.
Re: (Score:2)
But alas, I'm running Linux :)
Ugh. Here we go again...
Re: (Score:2)
I fail to see how that's a problem, as long as it was only your work email box that was erased. That just means less work for you, and any problems can be blamed on IT.
Re: (Score:2)
You to boss: Fuck you!
Honestly, how is data integrity not IT's problem? It was their dumb idea to use Windows, which is so susceptible to malware. They're supposed to have something called "backups" in case of disaster. If they don't, they're not doing their jobs. My current job has an incompetent IT department too, but at my last job, they had some fancy backup system that backed up everything on your desktop, nightly. So if something did wipe out your email inbox or something, they could recover it.
I
Re:Oh noes! (Score:4, Insightful)
(Yes I realize most users do not have either)
Re:Oh noes! (Score:5, Insightful)
A lot of people need to learn the phrase : "Common sense is not so common".
Re:Oh noes! (Score:4, Funny)
These day it could be considered a super power.
Re: (Score:2)
These day it could be considered a super power.
Funny how people don't hire super heroes. They're just expected to use their powers for good 'just because' and get nothing out of it but a grateful society.
And people wonder why these super powers don't arise very often.
Re: (Score:2)
Attribution: Walt Kelly (via Pogo). "Common sense ain't so common no more."
Re: (Score:2)
At least the homepages are looking better (now with Flash) ... unfortunately clicking "Terms & Conditions" gives you a blank page, the blog seems to be entries from cheapcigarettes.co.uk ... oh and did I mention despite the apparent European feel to the site, it's still knockoff sweatshop crap made and shipped from China.