Forgot your password?
typodupeerror
Bug Security Windows Technology

40 Windows Apps Said To Contain Critical Bug 158

Posted by timothy
from the and-the-other-ones-are-worse dept.
CWmike writes "About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, says HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit. Gregg Keizer reports that the bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs. Moore did not reveal the names of the vulnerable applications or their makers, however. Each affected program will have to be patched separately. Moore first hinted at the widespread bug in a message on Twitter on Wednesday. 'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted, then linked to an advisory published by Acros, a Slovenian security firm."
This discussion has been archived. No new comments can be posted.

40 Windows Apps Said To Contain Critical Bug

Comments Filter:
  • by Anonymous Coward on Thursday August 19, 2010 @02:02PM (#33304502)
  • Only 40? (Score:2, Insightful)

    by Anonymous Coward

    Only 40? That's definitely an improvement over the 7 year old Linux exploit that was only just fixed where any GUI app could gain root access.

    • And to those who run commandline, pffft.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Technically, any GUI app could gain root access, but this doesn't mean a computer running trusted applications (I trust the apps I run to not gain root and mess with my system) could be exploited without another bug.

      Still probably doesn't compare, and still very bad, but let's not turn it into a bigger scare than it really is.

      • Re:Only 40? (Score:4, Insightful)

        by ByOhTek (1181381) on Thursday August 19, 2010 @02:44PM (#33305142) Journal

        The problem is - trusted applications can have holes too.

        I mean, many people trust iTunes, and that was one of the apps with the holes (admittedly fixed).

        Are you 100% certain ALL of your trusted applications don't have holes, and the versions you ran in the last 7 years didn't have holes?

        The GUI issue was a HUGE problem - however it is/was fixed, which is the important part.

        • Re: (Score:3, Informative)

          by hairyfeet (841228)

          If you are really worried about holes in your apps perhaps you should be running Comodo Internet Security [comodo.com] or Comodo AV (same link) which by default sandboxes ALL apps you run unless you tell it otherwise. I've found a good 9 out of 10 apps run just fine in a sandbox, and Comodo makes it easy to sandbox any app and by default will sandbox new apps and new installs to protect your PC. Oh and it is 100% free too, with no nag emails or need to register.

          Since giving my customers and family Comodo I've found th

  • Really? (Score:5, Funny)

    by Anonymous Coward on Thursday August 19, 2010 @02:03PM (#33304534)

    Just 40?

    • Re: (Score:3, Funny)

      by zuvembi (30889)

      Well now, I think the real question is how many *aren't* made by Adobe?

    • That was my thought. Microsoft issued a hotfix for Visual Studio 2008 last year that corrected a security vulnerability in their ATL libraries. (This is the same hotfix that, if you installed it and VS2008's SP1 in a bad sequence, you'd screw over the install. I was up all night on that one. *sigh*)

      The problem? This security vulnerability was in a C++ template, which means that the bug is stuck permanently within any program compiled against it. It's not like the CRT or MFC shared libraries which can be rep

    • According to The Register article, it is 200 now and counting. In fact, 40-200 etc. happens because downloading/testing software takes time, not anything else :)

    • Since when is the fact that programs have bugs news.

      Being a programmer is almost as depressing as being a meteorologist. People use your services/products on daily bases but only remember you when you get things wrong.

      Also making a bug free application is almost as hard as making a faultless weather prediction for an entire month.

      I don't know why we,programmers and meteorologist, even try (though programmers also catch and throw).

  • /. is as bad for this as anywhere else on the net as far as I can tell. All bugs are flaws, but flaws are not necessarily bugs. This sounds like a flaw, even a vulnerability, but not a bug. Sorry, as you were.
  • by broken_chaos (1188549) on Thursday August 19, 2010 @02:07PM (#33304590)

    So there are forty unknown applications with an unknown flaw that results in code execution. This sounds like it includes web browsers (given the references to 'viewing a web page' in the article), but it doesn't specify which. It also doesn't specify what sort of file(s) (except in the case of iTunes -- a 'media file') are affected.

    So what're we supposed to do? There's no detail here, not even cursory detail, on what filetypes or applications to avoid. I'm fine with no details on the innermost workings of this exploit being widely disseminated, but why announce it with such fanfare if there's not even a way to avoid exposing yourself (i.e., listing these supposed '40 applications')?

    • by 0123456 (636235) on Thursday August 19, 2010 @02:12PM (#33304674)

      There's no detail here, not even cursory detail, on what filetypes or applications to avoid.

      Presumably anything that runs on Windows would be a good first approximation.

    • Re: (Score:3, Informative)

      by parkrrrr (30782)

      The article does mention that blocking WebDAV and SMB at your perimeter router will at least prevent the exploit coming from outside your network, though I agree that in general it seems long on FUD and self-congratulation and short on useful content.

      • by parkrrrr (30782) on Thursday August 19, 2010 @02:16PM (#33304736)

        Slight self-correction: blocking SMB at the router and disabling the WebDAV client on all Windows machines. Still, there's a mitigation that should work for most people.

    • Re: (Score:3, Informative)

      by Lord Ender (156273)

      This is notable because it is coming from HDM, a fellow with an excellent reputation who will no-doubt release an easy-to-use exploit (with Metasploit) after app developers have had a chance to patch.

      • Look this way, http://www.securityfocus.com/bid/1699/discuss [securityfocus.com]

        10 years earlier, Kaminsky reported it very polite and decently and obviously he didn't release an exploit. Did it change anything other than being ignored by MS?

        Even Apple as far as I know (and don't like) would stay open at weekend if someone found an issue like that on OS X, until they release a fix. MS doesn't even respond to well known technical news sites run by reporters, not some no name bloggers.

    • So what're we supposed to do?

      Run around like headless chickens predicting the end of Microsoft, and Windows, rant and rave about the virtues of Linux, how there are no Linux viruses and how any year now it will be the year of the desktop, and generally feel smug.

      You're new here, aren't you?

    • So what're we supposed to do?

      Panic! Ha ha, just kidding.
      As far as I can tell, you are supposed to click on the advertisements in the article.

    • From the Apple article linked from TFA:

      A path searching issue exists in iTunes. iTunes will search for a specific DLL in the current working directory. If someone places a maliciously crafted file with a specific name in a directory, opening another file in that directory in iTunes may lead to arbitrary code execution. This issue is addressed by removing the code that uses the DLL. This issue does not affect Mac OS X systems. Credit to Simon Raner of ACROS Security for reporting this issue.

      This was the issue he reported in iTunes. Presumably, the same issue exists in other applications. However, it is only exploitable if a remote attacker is able to write the malicious DLL to the directory. Thus, securing any remotely accessable storage will prevent this attack.

    • Re: (Score:2, Funny)

      by roju (193642)

      This sounds like it includes web browsers (given the references to 'viewing a web page' in the article)

      Sounds like flash to me. It's always flash.

    • Issue has so big evil potential that, they are afraid to tell the exact details. You can be sure black hats are all over the private forums, google and irc to figure out what this thing could exactly be.

      What pisses me off is, it was later "tweeted" to be a 10 year old, reported bug, in official way (Bugtraq) and 3-5 kernels and explorers later, there was nothing done against it.

      http://www.securityfocus.com/bid/1699/discuss [securityfocus.com]

      See the reporter? That is one of the most respected white hat hackers, especially in W

  • How can you trust someone who finds a big bug, but won't say exactly what it is, and have a miraculous cure for it.

    What a load of crap. On the other hand, I have found a virus that will immediately destroy your computer if you don't send me 1 million dollars.

    • How can you trust someone who finds a big bug, but won't say exactly what it is, and have a miraculous cure for it.

      Same way you can trust me! Speaking of which, can I interest you in some snake oil?

    • by 0racle (667029)
      What miracle fix?
  • by MrMe (172559) on Thursday August 19, 2010 @02:18PM (#33304766)

    'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,'

    That sounds really bad!

    'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted

    Oh, doesn't seem so bad now...

    • Re: (Score:2, Informative)

      by goofyspouse (817551)
      Mod parent up. Anyone who tweets anything is not worthy of being taken seriously.
      • by clone53421 (1310749) on Thursday August 19, 2010 @02:59PM (#33305344) Journal

        @goofyspouse (817551): mind if I re-tweet this?

      • Twitter is loved by people who has something to say, in short and hates the idea of "blogging" or facebook.

        You can be sure that the actual security issue will be released in traditional .txt form.

        I don't have a twitter account.

        • by daveime (1253762)

          Twitter is loved by people who has something to say, in short and hates the idea of "blogging" or facebook.

          You mean the kind of people who can't form a coherent sentence, who cannot concentrate on one conversation at a time so they follow 20 or 30, just chipping in with useless non-contributions like "I know" and "Oooo, that happened to me too".

          Twitter is the digital equivalent of old ladies standing on their doorsteps exchanging "he said, she said" gossip with their doorstep dwelling neighbours.

  • Or windows have several orders less apps than i think, or is the safest operating system on earth (ok, or something is missing in that formulation, like being 40: as in millons, or just counting in the included by default apps)
  • by VGPowerlord (621254) on Thursday August 19, 2010 @02:36PM (#33305008)

    I was under the impression that very few Windows applications were statically compiled... so why can't this just be updated in whatever shared object it uses again?

    I know he says

    There may be fixes that can be applied at the OS level, but these are likely to break existing applications.

    but what and why?

    • I agree - a remedial patch SHOULDN'T break the existing applications (and if Microsoft applied it, that would just give the vendors pressure to update their apps! What a role reversal, anyways) - but in case you haven't noticed, a lot of Microsoft's "Fixes" actually "break" functioning operations.

      All in the name of security.

      • by parkrrrr (30782)

        Wow, in one post you managed to present both the common sense notion that MS shouldn't care if they break insecure applications, and the most common objection to that notion - that people will blame MS even if it's the other guy's bad application at fault.

    • by cbhacking (979169)

      Even the safest APIs can be used stupidly. If the library code is correct but people are calling it in an unsafe manner, there's not a lot that can be done about that. Making changes to library code also requires an immense amount of regression testing. Some programs may be using an API unsafely, but in a non-attacker-controllable manner; those programs may technically have bugs but they run correctly (and securely) now, and if the library code were changed to prevent whatever they're doing those programs w

    • Re: (Score:3, Informative)

      by amorsen (7485)

      I was under the impression that very few Windows applications were statically compiled... so why can't this just be updated in whatever shared object it uses again?

      Because to avoid dependency hell and to compensate for the lack of package management, Windows applications come with private copies of the DLL's they need. If a flaw hits a common library like a JPEG parser you have to go through the file system looking for vulnerable versions and hope all the versions you have installed have fixes available. Or just wait till each application vendor gets around to issuing a patch for their particular application.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Because it's an API change.

      If you read the linked description, it says that the problem relates to opening files from remote places. With some Win32 API knowledge, you can derive that the problem is:

      - DLL loading [microsoft.com] looks into the process working directory for DLLs (i.e. getcwd())
      - Some applications change the working directory to the place where the files they attempt to open reside
      - If the malicious actor places a DLL in the same directory as the file to be opened, they can win the race against the applicat

    • by b4dc0d3r (1268512)

      You can choose to include certain libraries statically (so you include the binary code) or dynamically (so you have a reference to a .dll). You can also use the OS to dynamically load a library on-demand so that it is neither opened nor initialized until it is needed. For example, MFC has its own radio button in MS Visual Studio - do you want it static or dynamic? I believe the C runtime (msvcrt.dll) has the same choice but can't be bothered opening it to check. Plus, if it's only an estimated 40 apps,

  • Need your computer hacked? There's an app for that.
  • "Each affected program will have to be patched separately."

    And this is why Linux package managers that know how to handle shared library dependencies are better than one-click installers that bring along their own versions of the libraries.

  • to enable by default, remote/network based DLL's to automatically be loaded, and then call this a bug in the applications which do basic DLL loading, me thinks something fishy is going on. Is there a way to watch for any and all DLL's loading from outside of the local machine? I'd like to see who might be feeding their application DLL's over the interweb. Legit or not, this sounds like an OS flaw when just loading a data file allows the application processing the data file to suck in DLL's from the locati
    • by parkrrrr (30782)

      People do run applications from network shares. But if you want to keep people on your machine from running executables from remote locations, I think you can set up a software restriction policy with an appropriate path rule and with the global settings set to check DLLs too.

      I would guess that the problem isn't that reading a data file causes a DLL to be automatically "sucked in" from that location, but that the application sets the current working directory to that location, causing subsequent DLL loads t

  • Here's a link to the original advisory. It's worth a read as it contains useful remediation advice: http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt [acrossecurity.com]

"Consequences, Schmonsequences, as long as I'm rich." -- "Ali Baba Bunny" [1957, Chuck Jones]

Working...