40 Windows Apps Said To Contain Critical Bug 158
CWmike writes "About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, says HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit. Gregg Keizer reports that the bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs. Moore did not reveal the names of the vulnerable applications or their makers, however. Each affected program will have to be patched separately. Moore first hinted at the widespread bug in a message on Twitter on Wednesday. 'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted, then linked to an advisory published by Acros, a Slovenian security firm."
Re:I Wish I Had the Luxury of Worrying About This. (Score:2, Informative)
http://it.slashdot.org/story/10/08/18/1534258/Linux-Xorg-Critical-Security-Flaw-Silently-Patched?from=rss [slashdot.org]
Re:The Parrot says it best. (Score:3, Informative)
Thanks... you just made my day.
Re:So little detail... (Score:3, Informative)
The article does mention that blocking WebDAV and SMB at your perimeter router will at least prevent the exploit coming from outside your network, though I agree that in general it seems long on FUD and self-congratulation and short on useful content.
Re:So little detail... (Score:4, Informative)
Slight self-correction: blocking SMB at the router and disabling the WebDAV client on all Windows machines. Still, there's a mitigation that should work for most people.
Re:He tweeted... (Score:2, Informative)
Re:I Wish I Had the Luxury of Worrying About This. (Score:2, Informative)
There are many reasons to use Linux, but better security is not one of them. If you still believe this, put up a Linux server completely exposed to the Internet, and broadcast all over IRC that your server is badass and can't be hacked. It is a common misconception among Linux zealots that Linux doesn't have the security issues that Windows does, but mostly it's because its less popular, and very few exploit writers target Linux machines. In fact, even though ProPolice has been around for years, many Linux distros (including default Ubuntu) do not take advantage of it, and thus open themselves to a myriad of exploits that even Windows XP did not have. The performance gain from not using ProPolice is negligible, and the expoitablility of such a machine, given the quality of code from many Linux apps, is almost guaranteed.
So, your smart-ass comment only shows your ignorance. Linux is pretty cool as a development environment, and it's not a half-bad desktop, especially given the price. But I would run Windows Server long before I would consider putting a Linux machine on the net without a decent firewall (i.e. not Linux) in front of it.
Re:I Wish I Had the Luxury of Worrying About This. (Score:2, Informative)
Who? People that run proprietary drivers from Nvidia or ATI do. So do people that use drivers from less popular vendors that don't yet have KMS in their drivers (KMS is not in every open driver yet). It's enough to stop most distros from shipping with X running as another user.
Re:So little detail... (Score:3, Informative)
This is notable because it is coming from HDM, a fellow with an excellent reputation who will no-doubt release an easy-to-use exploit (with Metasploit) after app developers have had a chance to patch.
Comment removed (Score:3, Informative)
Re:Shared Objects / Dynamically Linked Libraries (Score:3, Informative)
I was under the impression that very few Windows applications were statically compiled... so why can't this just be updated in whatever shared object it uses again?
Because to avoid dependency hell and to compensate for the lack of package management, Windows applications come with private copies of the DLL's they need. If a flaw hits a common library like a JPEG parser you have to go through the file system looking for vulnerable versions and hope all the versions you have installed have fixes available. Or just wait till each application vendor gets around to issuing a patch for their particular application.
First Hand Information is Priceless (Score:2, Informative)
Re:I Wish I Had the Luxury of Worrying About This. (Score:3, Informative)
but better security is not one of them.
And you'd be wrong. Even with a directly connected Linux box it takes someone manually targeting that machine. As far as I know, no one has successfully automated *nix hacking and certainly not any kind of effective drive-by attack. Even if the automated attack gets a foot in the door, they still have to manually find a way to escalate privileges.
If you still believe this, put up a Linux server completely exposed to the Internet, and broadcast all over IRC that your server is badass and can't be hacked.
Connect that same box running Windows directly to the internet and you don't even have to announce its presence. It's like auto-hork.
Linux doesn't have the security issues that Windows does, but mostly it's because its less popular,
Another fallacy. If that were true then the exploits out in the wild should be relative to percentage of machines running that OS. And yet there aren't any. That popularity tripe was a talking point from a MSFT PR firm advertising campaign that went around a few years ago.