HD Moore: Critical bug in 40 different Windows apps

HD Moore: Critical bug in 40 different Windows apps

Summary: Metasploit's HD Moore was in the midst of researching the recently patched LNK (Windows shortcut) vulnerability when he stumbled upon a serious problem that exposes more than 40 different Windows software programs to remote code execution attacks.

SHARE:

UPDATE: Details emerge on new DLL load hijacking Windows attack vector

Metasploit's HD Moore was in the midst of researching the recently patched LNK (Windows shortcut) vulnerability when he stumbled upon a serious problem that exposes more than 40 different Windows software programs to remote code execution attacks.

Moore issued a brief warning about the issue via Twitter and linked to a critical bulletin from Acros, a Slovenian security research outfit, that references a remote code execution bug patched in Apple's latest iTunes update.

From Acros:

A "binary planting" vulnerability in Apple iTunes for Windows allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users.

As attacks escalate, Microsoft ships emergency Windows patch ]

According to the advisory, all a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open a media file from this network location in iTunes - which should require minimal social engineering.

Since Windows systems by default have the Web Client service running - which makes remote network shares accessible via WebDAV -, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet.

A systematic attack could deploy malicious code to a large number of Windows workstations in a short period of time, possibly as an Internet worm.

"I ran across it working on the shortcut bug and about fell out of my chair," Moore said in an interview. "It made the LNK exploit almost pointless."

That LNK exploit, patched via an emergency out-of-band patch by Microsoft, was discovered as part of a sophisticated malware attack that combined the Windows zero-day flaw with security problems in SCADA systems and used stolen signed drivers to bypass security software.

Moore declined to provide details of the new security problem until he got a chance to brief Microsoft's security response team on his findings.

"Anyone who worked on the shortcut exploit will know exactly what the issue is by now. A bunch of people know about it," he said. "The bug is bad behavior on the part of certain Windows applications when loading files from a network share," Moore added.

He declined to identify the 40 Windows applications that are vulnerable until after his discussions with Microsoft. "It's a wide range of things that are vulnerable, some open-source as well as commercial."

According to Computerworld's Gregg Keizer, each affected application will have to be patched separately.

"The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a 'safe' file type from a network share [either on the local network or the Internet]," Moore said in an e-mail reply to questions. "It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content."

Moore is expected to go public with more details next Monday.

UPDATE: Details emerge on new DLL load hijacking Windows attack vector

Topics: Software, Browser, Microsoft, Networking, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

95 comments
Log in or register to join the discussion
  • this is just nuts

    Are you sure you at ZDNet, and Acros, and Moore himself, can't see exactly how?
    Narr vi
    • You have to add Ed Bott to that list

      @Narr vi

      Ed published a priceless piece yesterday. The guy forgot to mention that in the same time frame where 150 million Win7 copies were sold more than 220 million PC hardware units were also sold putting win7 penetration on new units at less than 68%, an historic low but somehow Ed and all the MS talkback crew failed to mention that inconvenient fact.

      That's just nuts!!!
      OS Reload
      • this is just nuts

        @OS Reload well, what I meant was this publicising that there's something more for the attackers to use.<br><br>The least Microsoft could do is to publish a Fixit or much better, an interim out-of-band update, which will turn off WebDav and SMB in the way ComputerWorld mentions, which will apparently remove this problem as a web-dangerous exploit for anyone not needing Webdav.<br><br>This would give Microsoft a chance to get a handle on how to fix overall. It's hard to buy the 'patch every app' kind of thinking. Just using a little sense.
        Narr vi
      • RE: HD Moore: Critical bug in 40 different Windows apps

        So you're saying he should be telling people using Windows that Apple's craptacular software was exposing them to yet another exploit?
        Hallowed are the Ori
      • RE: HD Moore: Critical bug in 40 different Windows apps

        @OS Reload That is because large companies are still testing applications and upgrading / fixing applications that are not compatible. Once they are ready to upgrade they will, it has nothing to do with how good XP is or Win 7 is. It is not an "incovenient fact", but you definately have blinders on.
        rmark2
      • Are you nuts?

        @OS Reload

        Many of the corporate systems that we buy still come with XP preinstalled. Of course, we wipe them and install Windows 7 64 bit before they go to our users, but I am sure that they still show up as XP sales.
        itpro_z
      • Did you read the article?

        @Hallowed are the Ori:

        If you had read it, you would have seen that Apple issued a patch that FIXES this issue in iTunes, but that Moore found 40 other Windows applications that were still vulnerable. Notice Moore was going to discuss the issue with Microsoft, not Apple.

        Maybe you need new glasses, or Hooked on Phonics ...
        RationalGuy
      • RE: HD Moore: Critical bug in 40 different Windows apps

        @OS Reload
        Will I'm sure that he remembered that larger users buy site licenses and therefore purchase neither single copies nor PC hardware with the OS included. Did you?
        robertrosenthal
    • RE: HD Moore: Critical bug in 40 different Windows apps

      look look http://ta.gg/4or
      lincc240
      • RE: HD Moore: Critical bug in 40 different Windows apps

        @lincc240
        look! look! nobody fell for it.
        Mike062
  • Another day, another torrent of windows exploits

    Some things will never change.
    OS Reload
    • Only if you use iTunes :)

      @OS Reload
      The one and only, Cylon Centurion
      • RE: HD Moore: Critical bug in 40 different Windows apps

        @NStalnecker

        Or 39 other apps, lol.
        RealNonZealot
      • Read more carefully

        if this is an iTunes bug, then why is the guy briefing Microsoft and not Apple?
        frgough
      • RE: HD Moore: Critical bug in 40 different Windows apps

        @NStalnecker No, only if you keep updating versions of iTunes that are more and more bloated.
        NJtoTX
      • Reading is Fundamental

        @NStalnecker

        The vulnerability in iTunes was patched. It still exists in 40 other Windows applications.

        Those little squiggly lines are called "letters" and they combine to form "words". Those are strung together to make "sentences". Those are grouped together into "paragraphs". When you read them all in a row, that conveys information to you. You're not suppose to pick and choose a few words and stop.
        RationalGuy
      • RE: HD Moore: Critical bug in 40 different Windows apps

        @NStalnecker
        You are absolutely correct! That's why I will not allow any ithingy and apple thingy into my home. Absolutely not!
        eargasm
      • RE: HD Moore: Critical bug in 40 different Windows apps

        @NStalnecker

        Try reading and comprehending the article before responding.
        msalzberg
    • Social engineering, which affects Linux more than any OS, is used as FUD...

      Another day, another ABMer clinging to a social engineering required hack as somehow making Windows somehow more vulnerable.
      The only Linux system I own at home is linked to a worldwide network of linux based system which is hacked to pieces and makes using the said product useless and a great display of what Linux buys you. Kids and adults alike hacking Linux to their hearts content and making a huge global company look like they are running a cesspoool for a system.

      But go on and beat your chest about ABM while the facts have shown it's the most overall secure OS on the market today.

      And please backup your statement that 68% penetration by a Windows OS at LESS than One year old is an historic low. Please provide some kind of data and also show that the data that supports your 68% claim to begin with. I want to see documentation of total PC sales that match exactly the time period of said Windows Sales.
      There are Apple leaning sites that are admitting that Windows 7 has been an historic success.

      What some won't do for the sake of hating MS
      xuniL_z
      • RE: HD Moore: Critical bug in 40 different Windows apps

        @xuniL_z I have 4 computers running Linux and have never had a major problem with them as of yet . If your Linux is hacked to pieces as you say it is I have to ask why you allow this ? On the other hand I have 2 computers running Win XP Problem free and 1 Win Vista nightmare machine which seems to hate various things .
        Its all about making MONEY it doesn't matter if its Ms or Apple ,Intel or Amd and on and on its all money and the old game we are better than you . One would think they would quietly fix these exploits rather than alert the evil doers to the problems at hand .
        Computek
        computekslair