Feeds

Researcher: Code-execution bug affects 200 Windows apps

Ain't no cure for binary-planting blues

Securing Web Applications Made Simple and Scalable

About 200 Windows applications are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files for the Microsoft operating system, a security researcher said Thursday.

The critical vulnerability, which has already been patched in Apple's iTunes media player for Windows and VMware Tools, will be especially challenging to fix, because each application will ultimately need to receive its own patch, Mitja Kolsek, CEO of application security consultancy Acros Security, told The Register. He agreed with fellow researcher H D Moore, who on Wednesday said the critical vulnerability is trivial to exploit.

At the time, Moore estimated 40 programs were vulnerable, but security experts from Slovenia-based Acros have found that about 200 of the 220 applications they've tested so far suffer from what they're calling the binary-planting bug. They have yet to complete their inquiry.

“We are expecting that there should be many more,” Kolsek said. “We were just looking for those vulnerabilities that were exploitable in terms of the user double-clicking a document or doing a couple of things with the menu.”

Acros researchers alerted Microsoft to the vulnerability about four months ago and have been working with members of its security team since then to coordinate a fix with the many affected parties. They had been working in secret until Wednesday, when word of the bug first leaked out, he said. He said Microsoft may be able to release some sort of temporary fix while something more permanent is pending.

On Wednesday evening, a Microsoft spokeswoman said the company was investigating the report and would release more details when the inquiry was completed. This article will be updated if Microsoft has anything new to say.

The only other software known to be affected is one or more components in Windows. Both Moore and Kolsek have declined to provide further details, except for a Twitter from post from Moore that said the vulnerability may been reported, in part, 10 years ago. Moore also tweeted that additional information would come on Monday.

So far, what's known about the vulnerability comes mostly from an advisory Acros issued for the iTunes patch. The bug allows attackers to execute malicious code on Windows machines by getting the media player to open a file located on the same network share as a maliciously designed DLL file, it said. In some cases, the bugs can be exploited to execute EXE files and other types of binaries, as well, Kolsek said.

Until a fix is in place users can lessen their exposure by blocking outbound SMB connections on ports 445 and 139 and on WebDAV, but Kolsek reiterated that will do nothing to prevent attacks that originate on local networks, and that can be a problem in large organizations, where compromises of one machine can be used as a jumping-off point to infect other PCs or workstations.

“To own a single computer inside a network is very easy,” he said. “This type of vulnerability would make it really easy to get from this computer to owning some more interesting computers, for example, those belonging to admins. The external firewall would obviously not stop that.” ®

This article was updated to correct the spelling of Mitja Kolsek's name.

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.