Metasploit's HD Moore was in the midst of researching the recently patched LNK (Windows shortcut) vulnerability when he stumbled upon a serious problem that exposes more than 40 different Windows software programs to remote code execution attacks.
Moore issued a brief warning about the issue via Twitter and linked to a critical bulletin from Acros, a Slovenian security research outfit, that references a remote code execution bug patched in Apple's latest iTunes update.
A "binary planting" vulnerability in Apple iTunes for Windows allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users.
Since Windows systems by default have the Web Client service running - which makes remote network shares accessible via WebDAV -, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet.
A systematic attack could deploy malicious code to a large number of Windows workstations in a short period of time, possibly as an Internet worm.
"I ran across it working on the shortcut bug and about fell out of my chair," Moore said in an interview. "It made the LNK exploit almost pointless."
That LNK exploit, patched via an emergency out-of-band patch by Microsoft, was discovered as part of a sophisticated malware attack that combined the Windows zero-day flaw with security problems in SCADA systems and used stolen signed drivers to bypass security software.
Moore declined to provide details of the new security problem until he got a chance to brief Microsoft's security response team on his findings.
"Anyone who worked on the shortcut exploit will know exactly what the issue is by now. A bunch of people know about it," he said. "The bug is bad behavior on the part of certain Windows applications when loading files from a network share," Moore added.
He declined to identify the 40 Windows applications that are vulnerable until after his discussions with Microsoft. "It's a wide range of things that are vulnerable, some open-source as well as commercial."
According to Computerworld's Gregg Keizer, each affected application will have to be patched separately.
"The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a 'safe' file type from a network share [either on the local network or the Internet]," Moore said in an e-mail reply to questions. "It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content."
Moore is expected to go public with more details next Monday.