madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

HD Moore: Critical bug in 40 different Windows apps

By | August 19, 2010, 9:49am PDT

Summary: Metasploit’s HD Moore was in the midst of researching the recently patched LNK (Windows shortcut) vulnerability when he stumbled upon a serious problem that exposes more than 40 different Windows software programs to remote code execution attacks.

UPDATE: Details emerge on new DLL load hijacking Windows attack vector

Metasploit’s HD Moore was in the midst of researching the recently patched LNK (Windows shortcut) vulnerability when he stumbled upon a serious problem that exposes more than 40 different Windows software programs to remote code execution attacks.

Moore issued a brief warning about the issue via Twitter and linked to a critical bulletin from Acros, a Slovenian security research outfit, that references a remote code execution bug patched in Apple’s latest iTunes update.

From Acros:

A “binary planting” vulnerability in Apple iTunes for Windows allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users.

As attacks escalate, Microsoft ships emergency Windows patch ]

According to the advisory, all a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open a media file from this network location in iTunes - which should require minimal social engineering.

Since Windows systems by default have the Web Client service running - which makes remote network shares accessible via WebDAV -, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet.

A systematic attack could deploy malicious code to a large number of Windows workstations in a short period of time, possibly as an Internet worm.

“I ran across it working on the shortcut bug and about fell out of my chair,” Moore said in an interview. “It made the LNK exploit almost pointless.”

That LNK exploit, patched via an emergency out-of-band patch by Microsoft, was discovered as part of a sophisticated malware attack that combined the Windows zero-day flaw with security problems in SCADA systems and used stolen signed drivers to bypass security software.

Moore declined to provide details of the new security problem until he got a chance to brief Microsoft’s security response team on his findings.

“Anyone who worked on the shortcut exploit will know exactly what the issue is by now. A bunch of people know about it,” he said. “The bug is bad behavior on the part of certain Windows applications when loading files from a network share,” Moore added.

He declined to identify the 40 Windows applications that are vulnerable until after his discussions with Microsoft. “It’s a wide range of things that are vulnerable, some open-source as well as commercial.”

According to Computerworld’s Gregg Keizer, each affected application will have to be patched separately.

“The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a ’safe’ file type from a network share [either on the local network or the Internet],” Moore said in an e-mail reply to questions. “It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content.”

Moore is expected to go public with more details next Monday.

UPDATE: Details emerge on new DLL load hijacking Windows attack vector

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Network, Dynamic-link Library, Microsoft Corp., Attack, Metasploit, Microsoft Windows, Internet, Security, Operating Systems, Networking, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 95 Talkback(s)

  • this is just nuts
    Are you sure you at ZDNet, and Acros, and Moore himself, can't see exactly how?
    ZDNet Gravatar
    Narr vi
    19th Aug 2010
  • You have to add Ed Bott to that list
    @Narr vi

    Ed published a priceless piece yesterday. The guy forgot to mention that in the same time frame where 150 million Win7 copies were sold more than 220 million PC hardware units were also sold putting win7 penetration on new units at less than 68%, an historic low but somehow Ed and all the MS talkback crew failed to mention that inconvenient fact.

    That's just nuts!!!
    ZDNet Gravatar
    OS Reload
    19th Aug 2010
  • this is just nuts
    @OS Reload well, what I meant was this publicising that there's something more for the attackers to use.

    The least Microsoft could do is to publish a Fixit or much better, an interim out-of-band update, which will turn off WebDav and SMB in the way ComputerWorld mentions, which will apparently remove this problem as a web-dangerous exploit for anyone not needing Webdav.

    This would give Microsoft a chance to get a handle on how to fix overall. It's hard to buy the 'patch every app' kind of thinking. Just using a little sense.
    ZDNet Gravatar
    Narr vi
    19th Aug 2010
  • RE: HD Moore: Critical bug in 40 different Windows apps
    So you're saying he should be telling people using Windows that Apple's craptacular software was exposing them to yet another exploit?
    ZDNet Gravatar
    Hallowed are the Ori
    19th Aug 2010
    • Flagged
  • RE: HD Moore: Critical bug in 40 different Windows apps
    @OS Reload That is because large companies are still testing applications and upgrading / fixing applications that are not compatible. Once they are ready to upgrade they will, it has nothing to do with how good XP is or Win 7 is. It is not an "incovenient fact", but you definately have blinders on.
    ZDNet Gravatar
    rmark@...
    19th Aug 2010
  • Are you nuts?
    @OS Reload

    Many of the corporate systems that we buy still come with XP preinstalled. Of course, we wipe them and install Windows 7 64 bit before they go to our users, but I am sure that they still show up as XP sales.
    ZDNet Gravatar
    itpro_z
    19th Aug 2010
  • Did you read the article?
    @Hallowed are the Ori:

    If you had read it, you would have seen that Apple issued a patch that FIXES this issue in iTunes, but that Moore found 40 other Windows applications that were still vulnerable. Notice Moore was going to discuss the issue with Microsoft, not Apple.

    Maybe you need new glasses, or Hooked on Phonics ...
    ZDNet Gravatar
    RationalGuy
    20th Aug 2010
  • RE: HD Moore: Critical bug in 40 different Windows apps
    @OS Reload
    Will I'm sure that he remembered that larger users buy site licenses and therefore purchase neither single copies nor PC hardware with the OS included. Did you?
    ZDNet Gravatar
    robertrosenthal
    20th Aug 2010
  • RE: HD Moore: Critical bug in 40 different Windows apps
    look look http://ta.gg/4or
    ZDNet Gravatar
    lincc240
    19th Aug 2010
  • RE: HD Moore: Critical bug in 40 different Windows apps
    @lincc240
    look! look! nobody fell for it.
    ZDNet Gravatar
    Mike062
    20th Aug 2010
  • Another day, another torrent of windows exploits
    Some things will never change.
    ZDNet Gravatar
    OS Reload
    19th Aug 2010
  • Only if you use iTunes
    @OS Reload
    ZDNet Gravatar
    Cylon Centurion
    19th Aug 2010
  • RE: HD Moore: Critical bug in 40 different Windows apps
    @NStalnecker

    Or 39 other apps, lol.
    ZDNet Gravatar
    RealNonZealot
    19th Aug 2010
  • Read more carefully
    if this is an iTunes bug, then why is the guy briefing Microsoft and not Apple?
    ZDNet Gravatar
    frgough
    20th Aug 2010
  • RE: HD Moore: Critical bug in 40 different Windows apps
    @NStalnecker No, only if you keep updating versions of iTunes that are more and more bloated.
    ZDNet Gravatar
    NJtoTX
    20th Aug 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources