40 Windows Apps Said To Contain Critical Bug 158
CWmike writes "About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, says HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit. Gregg Keizer reports that the bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs. Moore did not reveal the names of the vulnerable applications or their makers, however. Each affected program will have to be patched separately. Moore first hinted at the widespread bug in a message on Twitter on Wednesday. 'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted, then linked to an advisory published by Acros, a Slovenian security firm."
Only 40? (Score:2, Insightful)
Only 40? That's definitely an improvement over the 7 year old Linux exploit that was only just fixed where any GUI app could gain root access.
So little detail... (Score:5, Insightful)
So there are forty unknown applications with an unknown flaw that results in code execution. This sounds like it includes web browsers (given the references to 'viewing a web page' in the article), but it doesn't specify which. It also doesn't specify what sort of file(s) (except in the case of iTunes -- a 'media file') are affected.
So what're we supposed to do? There's no detail here, not even cursory detail, on what filetypes or applications to avoid. I'm fine with no details on the innermost workings of this exploit being widely disseminated, but why announce it with such fanfare if there's not even a way to avoid exposing yourself (i.e., listing these supposed '40 applications')?
Oh noes! (Score:1, Insightful)
how can we trust (Score:2, Insightful)
What a load of crap. On the other hand, I have found a virus that will immediately destroy your computer if you don't send me 1 million dollars.
Re:Oh noes! (Score:4, Insightful)
(Yes I realize most users do not have either)
Re:Oh noes! (Score:5, Insightful)
A lot of people need to learn the phrase : "Common sense is not so common".
Re:I Wish I Had the Luxury of Worrying About This. (Score:2, Insightful)
Just because a patch was issued doesn't mean every single system was patched and that there won't be countless people still running a vulnerable version.
Re:Only 40? (Score:3, Insightful)
Technically, any GUI app could gain root access, but this doesn't mean a computer running trusted applications (I trust the apps I run to not gain root and mess with my system) could be exploited without another bug.
Still probably doesn't compare, and still very bad, but let's not turn it into a bigger scare than it really is.
Re:I Wish I Had the Luxury of Worrying About This. (Score:4, Insightful)
It really was not a trivial, uninteresting bug. It was a serious security problem for desktop Linux users that had been around for years.
Re:I Wish I Had the Luxury of Worrying About This. (Score:3, Insightful)
http://www.archlinux.org/packages/core/i686/kernel26/ [archlinux.org]
Patched on 8/13, new kernel package on 8/14. I'm not concerned. And slower-updating distros generally have a security team to patch these kinds of things into their current kernel release.
Re:Only 40? (Score:4, Insightful)
The problem is - trusted applications can have holes too.
I mean, many people trust iTunes, and that was one of the apps with the holes (admittedly fixed).
Are you 100% certain ALL of your trusted applications don't have holes, and the versions you ran in the last 7 years didn't have holes?
The GUI issue was a HUGE problem - however it is/was fixed, which is the important part.
Re:I Wish I Had the Luxury of Worrying About This. (Score:3, Insightful)
Don't run X as root. Who does that these days?
KMS, bitches.
Re:I Wish I Had the Luxury of Worrying About This. (Score:4, Insightful)
You misunderstand. The Xorg bug doesn't require a malicious GUI app; it just requires a perfectly normal GUI app with an exploitable vulnerability. So if OpenOffice.org (or Acrobat Reader, or Firefox, or any other document viewer) has a flaw which can be exploited by a malicious document, the Xorg bug turns that into a privilege-escalation vulnerability, circumventing not only the normal permission mechanisms but also tools such as SELinux sandboxes (which protect against malicious code running in the sandboxed user application, not the X server).
Re:So little detail... (Score:1, Insightful)
You assume that most people know:
a. how to log into their router
b. how to block an outbound port in their router or
c. even know what a router or port is
Verizon's how-to to get into your router is buried. It took me more than 20 minutes to find it on their site the first time I needed to get into one.
Re:I Wish I Had the Luxury of Worrying About This. (Score:4, Insightful)
I'd say that putting any OS on the Internet without a reasonable firewall is a poor idea, the exception being a laptop [1] just out of necessity. Yes, most operating systems are hardened, but what brings the bugs are the applications that run on them. This is why having a hardened machine with as little running on it as possible is essential between the general purpose computers and the rest of the Internet.
[1]: I have seen tiny embedded Linux adapters just bigger than an Ethernet plug. Why can't laptop makers build a tiny firewalling router into one of those and mount it on the motherboard? This way, it doesn't matter what OS is, attacks from remote will be minimized, and one could configure it to disallow outgoing ports (such as port 25) that the laptop shouldn't ever need to go out on. I'm sure similar functionality can be done for Wi-Fi. As an added bonus, if a machine gets DoS-ed, it won't be the main CPU that has to sort out the offending packets, but the one on the built in firewall.
What we're suppose to do (Score:2, Insightful)
So what're we supposed to do?
Run around like headless chickens predicting the end of Microsoft, and Windows, rant and rave about the virtues of Linux, how there are no Linux viruses and how any year now it will be the year of the desktop, and generally feel smug.
You're new here, aren't you?
Re:I Wish I Had the Luxury of Worrying About This. (Score:1, Insightful)
As far as I know, no one has successfully automated *nix hacking and certainly not any kind of effective drive-by attack.
Then you don't know where to look. I've found rootkits for MySQL, various ftpds, old versions of Apache, etc. Automating such rootkits is a trivial task. Writing C code given the explanation of the vulnerability is usually also a trivial task. Hell, the first Linux server I put on the 'net in '98 was rooted within a month through a vulnerability in wuftpd. It certainly wasn't any kind of targeted attack, as it simply put eggdrop in an obscure location and replaced /bin/ps to hide the process.
Even if the automated attack gets a foot in the door, they still have to manually find a way to escalate privileges.
And therein lies the rub. My Linux server was rooted because wuftpd ran with elevated privileges, as it was delivered by the distro. Older Windows versions did basically everything as Administrator, so the privilege escalation part was trivial. Later versions of Windows do not have this problem. Every single problem that you point to in Windows either no longer exists, or also existed in the default installation of a particular distro. Yeah, you can do your own security and do better, but you can say the same about any OS. The problem is that most people use the defaults, not having the time or inclination to become an expert in, say, SELinux.
Connect that same box running Windows directly to the internet and you don't even have to announce its presence. It's like auto-hork
OK, I'll do you one better. I've announced its presence but won't tell you where it is. It's running Server 2003 with SP3 and has a hardware firewall in front of it. That should be more than enough to root it if your boast is even remotely true.
If that were true then the exploits out in the wild should be relative to percentage of machines running that OS. And yet there aren't any.
Once again, you don't know where to look. And, the number of exploits available for Windows 7 is considerably lower than for previous versions, probably in part due to the stack protections in the .NET framework. Until ProPolice is implemented in every default Linux distro, Linux is more exploitable than Windows, as every single mistake that can lead to a buffer overflow is exploitable, whereas with stack protection it is not.
That popularity tripe was a talking point from a MSFT PR firm advertising campaign that went around a few years ago.
And let's not forget the fine marketing campaign from the Linux side. Information wants to be Free! Proprietary Software is Evil and will only be used to Invade Your Privacy and Sell You Stuff You Don't Want. Bask in the Free Goodness and Never Get Paid to Code Again! All marketing is bullshit, and frankly, there's so much FUD on all sides that I've decided that my loyalty is simply for sale. Maybe one day you will become hungry and desparate enough that it's simply not worth getting involved in the politics.
Re:I Wish I Had the Luxury of Worrying About This. (Score:3, Insightful)
What you're saying is that Linux is totally bulletproof, as long as you run it as much as possible like an iPhone -- trusting only applications that your OS provider says are okay, and that it's not reasonable to examine it in a situation where that's not the case.
How is installing applications from the repos anything like using an iPhone? With Linux, I can install any application I want from anywhere I want as long as it's compatible (just like most other OS's). I can compile from source, write and run my own code on it, whatever floats my boat. I and most other Linux users get most of our software from the repositories because 99 percent of anything you'd want to install is in there and the packages in the repos are generally well tested to work with the system you are using. It would be foolish to not use them. With the iPhone, unless you jailbreak it, you're locked in. That's a walled garden. No Linux distro I've ever used has worked like that at all.