40 Windows apps affected by critical security flaw, researcher claims

Posted by Ludwig on Aug - 19 - 2010

By Ed Oswald, Betanews

A Texas-based researcher claimed he had discovered that about 40 different Windows apps, including the Windows shell, suffer from a critical vulnerability that could open up users to attacks by hackers. The flaw was originally discovered in iTunes for Windows, and was patched by Apple four months ago with iTunes 9.1.

Rapid7 chief security officer HD Moore detailed his findings to Computerworld in an interview on Wednesday. He said a wide range of applications are affected, and it was found while looking into another flaw involving Windows shortcuts, which Microsoft patched in an emergency update.

The flaw exists in how the programs handle malformed DLLs. While the methods to trigger the hole differ slightly from application to application, execution causes the hole to open which allows the hacker to execute arbitrary code and/or install malware on the infected machine.

Apple said at the time that the issue only affected Windows versions of iTunes, and not the Mac. Since Mac OS X does not use DLL files, the attack does not work on that operating system. There is no reason to believe that a similar flaw exists on that platform, either.

A single patch from Microsoft will not fix the problem: Moore said that each application would have to be patched on its own. He also would not disclose the names of those applications affected in order to prevent any attacks from occurring.

Users concerned with this vulnerability should block outbound TCP ports 139 and 445, as well as disabling the WebDAV client. This was a similar suggestion given to users as a workaround if they could not install the update to patch the shortcut vulnerability.

It is not immediately clear why the issue affects so many applications, or what these applications may share in terms of development that could give clues to its origin. So far, those working on the flaw have stayed quiet, leaving only speculation as to what may be the cause.

Copyright Betanews, Inc. 2010

Share

Related posts:

  1. Citibank discloses security flaw in iPhone banking application
  2. Microsoft Warns of IE Flaw that Could Expose Local Files
  3. Apple patches Safari AutoFill security flaw, adds extension support
  4. Microsoft Identifies 17-Year-Old Bug in Windows
  5. Adobe Reader 9.3 patch addresses critical JavaScript security issue
Categories: Security

Leave a Reply


Twitter updates

Sponsors

  • Cheap reliable web hosting from WebHostingHub.com.
  • Domain name search and availability check by PCNames.com.
  • Website and logo design contests at DesignContest.com.
  • Reviews of the best cheap web hosting providers at WebHostingRating.com.