40 Windows Apps Said To Contain Critical Bug

← Back to Stories (view on slashdot.org)

40 Windows Apps Said To Contain Critical Bug

Posted by timothy on Thursday August 19, 2010 @05:59AM from the and-the-other-ones-are-worse dept.

CWmike writes "About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, says HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit. Gregg Keizer reports that the bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs. Moore did not reveal the names of the vulnerable applications or their makers, however. Each affected program will have to be patched separately. Moore first hinted at the widespread bug in a message on Twitter on Wednesday. 'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted, then linked to an advisory published by Acros, a Slovenian security firm."

43 of 158 comments (clear)

The Parrot says it best. by Anonymous Coward · 2010-08-19 06:02 · Score: 4, Funny

http://www.youtube.com/watch?v=wxlhyX-4qKI
1. Re:The Parrot says it best. by X0563511 · 2010-08-19 06:06 · Score: 2, Informative
  
  Thanks... you just made my day.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Only 40? by Anonymous Coward · 2010-08-19 06:02 · Score: 2, Insightful

Only 40? That's definitely an improvement over the 7 year old Linux exploit that was only just fixed where any GUI app could gain root access.
1. Re:Only 40? by Anonymous Coward · 2010-08-19 06:27 · Score: 3, Insightful
  
  Technically, any GUI app could gain root access, but this doesn't mean a computer running trusted applications (I trust the apps I run to not gain root and mess with my system) could be exploited without another bug.
  Still probably doesn't compare, and still very bad, but let's not turn it into a bigger scare than it really is.
2. Re:Only 40? by ByOhTek · 2010-08-19 06:44 · Score: 3, Insightful
  
  The problem is - trusted applications can have holes too.
  I mean, many people trust iTunes, and that was one of the apps with the holes (admittedly fixed).
  Are you 100% certain ALL of your trusted applications don't have holes, and the versions you ran in the last 7 years didn't have holes?
  The GUI issue was a HUGE problem - however it is/was fixed, which is the important part.
  
  --
  Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
3. Re:Only 40? by hairyfeet · 2010-08-19 07:28 · Score: 2, Informative
  
  If you are really worried about holes in your apps perhaps you should be running Comodo Internet Security or Comodo AV (same link) which by default sandboxes ALL apps you run unless you tell it otherwise. I've found a good 9 out of 10 apps run just fine in a sandbox, and Comodo makes it easy to sandbox any app and by default will sandbox new apps and new installs to protect your PC. Oh and it is 100% free too, with no nag emails or need to register.
  Since giving my customers and family Comodo I've found the amount of crapware and malware I have to deal with has gone WAY down, since its default settings seems to help protect even the most clueless user. It also uses a hell of a lot less resources than the other free AV/Firewalls (it is currently using a grand total of 22Mb RAM and 0% CPU on Windows 7 HP X64, and I have similar numbers in XP SP3) so to me it is a no brainer. Better safe than sorry is my motto and if an app runs fine in a sandbox, why should I allow it access to the underlying OS?
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
4. Re:Only 40? by C0vardeAn0nim0 · 2010-08-19 07:52 · Score: 2, Interesting
  
  makes sense because the native registry/file virtualization is provided by MICROSOFT, and this being slashdot, the mantra is "anything windows does, a third party app does better, because M$ SUCKS!!!", unless it's "shitty iTunes bloatware for windows".
  
  --
  What ? Me, worry ?
5. Re:Only 40? by hairyfeet · 2010-08-19 07:54 · Score: 2, Interesting
  
  Because what you are calling "registry/file virtualization" has NOTHING to do with security and is simply a hack to allow x86 apps to run on x64? And time and time again we have seen the bad guys blow through Windows security measures since it is the biggest market and therefor offers the biggest rewards? Plus with the Windows 7 version you have no control whatsoever, and I have noticed it really doesn't seem to care what gets dumped in "Program Files(x86) as long as you click yes that first time, Whereas with Comodo I am in control, and I get to say what is allowed and what isn't. And if you'll look up the video reviews posted on Youtube where they try to infect Comodo with malware you'll see time and time again it stop the nasties cold.
  Look it is 100% free, has less overhead than every other free AV I've ever tried AND it comes with built in sandboxing. I think the better question is why not use it when there are so many bad guys trying to hack PCs out there? It isn't like 22Mb for an AV AND a firewall is all that much with the multiGb machines of today, so why not add that extra layer of security if it costs nothing?
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Really? by Anonymous Coward · 2010-08-19 06:03 · Score: 5, Funny

Just 40?
1. Re:Really? by zuvembi · 2010-08-19 08:36 · Score: 2, Funny
  
  Well now, I think the real question is how many *aren't* made by Adobe?
Re:I Wish I Had the Luxury of Worrying About This. by betterunixthanunix · 2010-08-19 06:05 · Score: 2, Informative

Then worry about this:

http://it.slashdot.org/story/10/08/18/1534258/Linux-Xorg-Critical-Security-Flaw-Silently-Patched?from=rss

--
Palm trees and 8
So little detail... by broken_chaos · 2010-08-19 06:07 · Score: 5, Insightful

So there are forty unknown applications with an unknown flaw that results in code execution. This sounds like it includes web browsers (given the references to 'viewing a web page' in the article), but it doesn't specify which. It also doesn't specify what sort of file(s) (except in the case of iTunes -- a 'media file') are affected.
So what're we supposed to do? There's no detail here, not even cursory detail, on what filetypes or applications to avoid. I'm fine with no details on the innermost workings of this exploit being widely disseminated, but why announce it with such fanfare if there's not even a way to avoid exposing yourself (i.e., listing these supposed '40 applications')?
1. Re:So little detail... by 0123456 · 2010-08-19 06:12 · Score: 3, Funny
  
  There's no detail here, not even cursory detail, on what filetypes or applications to avoid.
  Presumably anything that runs on Windows would be a good first approximation.
2. Re:So little detail... by parkrrrr · 2010-08-19 06:12 · Score: 2, Informative
  
  The article does mention that blocking WebDAV and SMB at your perimeter router will at least prevent the exploit coming from outside your network, though I agree that in general it seems long on FUD and self-congratulation and short on useful content.
3. Re:So little detail... by parkrrrr · 2010-08-19 06:16 · Score: 3, Informative
  
  Slight self-correction: blocking SMB at the router and disabling the WebDAV client on all Windows machines. Still, there's a mitigation that should work for most people.
4. Re:So little detail... by Lord+Ender · 2010-08-19 07:25 · Score: 2, Informative
  
  This is notable because it is coming from HDM, a fellow with an excellent reputation who will no-doubt release an easy-to-use exploit (with Metasploit) after app developers have had a chance to patch.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
5. Re:So little detail... by roju · 2010-08-19 12:34 · Score: 2, Funny
  
  This sounds like it includes web browsers (given the references to 'viewing a web page' in the article)
  Sounds like flash to me. It's always flash.
Re:I Wish I Had the Luxury of Worrying About This. by 0123456 · 2010-08-19 06:10 · Score: 5, Interesting

Then worry about this:
Yeah, I'm far more worried about a _fixed_ exploit that requires I install a malicious GUI app than an active exploit that just requires I open a malicious Word document.
Re:Oh noes! by mark72005 · 2010-08-19 06:12 · Score: 3, Insightful

Exactly... I am dubious on Windows security, but I use Windows boxes all the time without issue due to basic security precautions and basic common sense.

(Yes I realize most users do not have either)
Re:I Wish I Had the Luxury of Worrying About This. by Korin43 · 2010-08-19 06:13 · Score: 2, Funny

They fixed a bug in the Linux kernel? I'm worried now.
He tweeted... by MrMe · 2010-08-19 06:18 · Score: 5, Funny

'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,'
That sounds really bad!
'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted
Oh, doesn't seem so bad now...
1. Re:He tweeted... by goofyspouse · 2010-08-19 06:32 · Score: 2, Informative
  
  Mod parent up. Anyone who tweets anything is not worthy of being taken seriously.
2. Re:He tweeted... by clone53421 · 2010-08-19 06:59 · Score: 3, Funny
  
  @goofyspouse (817551): mind if I re-tweet this?
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Re:Oh noes! by Ironhandx · 2010-08-19 06:18 · Score: 4, Insightful

A lot of people need to learn the phrase : "Common sense is not so common".
Shared Objects / Dynamically Linked Libraries by VGPowerlord · 2010-08-19 06:36 · Score: 4, Interesting

I was under the impression that very few Windows applications were statically compiled... so why can't this just be updated in whatever shared object it uses again?
I know he says

There may be fixes that can be applied at the OS level, but these are likely to break existing applications.
but what and why?

--
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
1. Re:Shared Objects / Dynamically Linked Libraries by Monkeedude1212 · 2010-08-19 06:51 · Score: 2
  
  I agree - a remedial patch SHOULDN'T break the existing applications (and if Microsoft applied it, that would just give the vendors pressure to update their apps! What a role reversal, anyways) - but in case you haven't noticed, a lot of Microsoft's "Fixes" actually "break" functioning operations.
  All in the name of security.
2. Re:Shared Objects / Dynamically Linked Libraries by amorsen · 2010-08-19 07:50 · Score: 2, Informative
  
  I was under the impression that very few Windows applications were statically compiled... so why can't this just be updated in whatever shared object it uses again?
  Because to avoid dependency hell and to compensate for the lack of package management, Windows applications come with private copies of the DLL's they need. If a flaw hits a common library like a JPEG parser you have to go through the file system looking for vulnerable versions and hope all the versions you have installed have fixes available. Or just wait till each application vendor gets around to issuing a patch for their particular application.
  
  --
  Finally! A year of moderation! Ready for 2019?
3. Re:Shared Objects / Dynamically Linked Libraries by Anonymous Coward · 2010-08-19 16:51 · Score: 2, Interesting
  
  Because it's an API change.
  If you read the linked description, it says that the problem relates to opening files from remote places. With some Win32 API knowledge, you can derive that the problem is:
  - DLL loading looks into the process working directory for DLLs (i.e. getcwd())
  - Some applications change the working directory to the place where the files they attempt to open reside
  - If the malicious actor places a DLL in the same directory as the file to be opened, they can win the race against the application's expected DLL directory loading path.
  The fix, then involves either 1) not changing the working directory, or 2) call SetDllDirectory to remove the working directory from the search path, or 3) Use SafeDllSearchMode and make sure the DLL is in one of the places before the working directory.
  All of these require changing the application. If you just change the DLL search path (by removing the working directory), applications which expect the old, documented search path might fail to find the DLLs they were looking for (perhaps they explicitly changed the working directory to load the DLL, and wasn't trying to load a remote document in the first place?).
Re:I Wish I Had the Luxury of Worrying About This. by betterunixthanunix · 2010-08-19 06:37 · Score: 3, Insightful

Or Joe Sixpack visits a website with a Flash applet, and there happens to be a vulnerability in Flash player that allows those applets to issue requests directly to the X server. Or, Joe Sixpack opens a PDF file using acroread, and there is a vulnerability in acroread. Or any number of other vulnerabilities; all an attack needs is to be able to issue requests directly to the X server.

It really was not a trivial, uninteresting bug. It was a serious security problem for desktop Linux users that had been around for years.

--
Palm trees and 8
Re:I Wish I Had the Luxury of Worrying About This. by Korin43 · 2010-08-19 06:39 · Score: 2, Insightful

http://www.archlinux.org/packages/core/i686/kernel26/
Patched on 8/13, new kernel package on 8/14. I'm not concerned. And slower-updating distros generally have a security team to patch these kinds of things into their current kernel release.
Re:I Wish I Had the Luxury of Worrying About This. by betterunixthanunix · 2010-08-19 06:40 · Score: 2, Interesting

The part where an exploit that allows malicious programs to be run without the user's knowledge? Or did you think there were no such exploits?

For the record, I am a Fedora user, not a Windows user. I am willing to acknowledge when there is a security problem. I am glad it was fixed, but that does not imply that it was not a real problem.

--
Palm trees and 8
Re:I Wish I Had the Luxury of Worrying About This. by h4rr4r · 2010-08-19 06:45 · Score: 2, Insightful

Don't run X as root. Who does that these days?
KMS, bitches.
Re:Oh noes! by rbochan · 2010-08-19 06:47 · Score: 3, Funny

A lot of people need to learn the phrase : "Common sense is not so common".
These day it could be considered a super power.

--
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Re:I Wish I Had the Luxury of Worrying About This. by JesseMcDonald · 2010-08-19 06:51 · Score: 3, Insightful

You misunderstand. The Xorg bug doesn't require a malicious GUI app; it just requires a perfectly normal GUI app with an exploitable vulnerability. So if OpenOffice.org (or Acrobat Reader, or Firefox, or any other document viewer) has a flaw which can be exploited by a malicious document, the Xorg bug turns that into a privilege-escalation vulnerability, circumventing not only the normal permission mechanisms but also tools such as SELinux sandboxes (which protect against malicious code running in the sandboxed user application, not the X server).

--
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
Re:I Wish I Had the Luxury of Worrying About This. by Lunix+Nutcase · 2010-08-19 06:55 · Score: 2

So in order to exploit this exploit you need to make up another exploit which already allows them to do anything on my PC with my user privileges, which means that they've already installed a keylogger in Firefox and stolen my bank passwords and I no longer give a flying monkey turd about whether they've trashed my OS.
No. In fact, for example, a maliciously-formed PDF file opened in a PDF reader, even if that reader is run in a sandbox, can be used to gain root through the exploit.
Re:I Wish I Had the Luxury of Worrying About This. by Lunix+Nutcase · 2010-08-19 07:07 · Score: 2, Interesting

Don't run X as root. Who does that these days?
Probably quite a few. Not everyone is running a version of the 2.6 kernel that has KMS.
Re:I Wish I Had the Luxury of Worrying About This. by mandelbr0t · 2010-08-19 07:14 · Score: 2, Interesting

Exploitable != Malicious. A system without stack protection is an accident waiting to happen. You should read up on how stack protections eliminate an entire class of exploits, and how subtle exploitable code really is. Even the .NET compiler includes stack protection. I have no idea why Linux has not adopted the use of ProPolice across the board.
My previous response was not a troll; it was based on years of experience running Windows, Linux, Mac and BSD machines. Linux is the most brittle of all of the systems I've used. Even remaining up-to-date from the distro is very little protection, since the underlying problem is not being addressed. Nearly every Linux distro could ship with better security, but SELinux and ProPolice are not enabled by default.

--
"Please describe the scientific nature of the 'whammy'" - Agent Scully
Re:I Wish I Had the Luxury of Worrying About This. by Anonymous Coward · 2010-08-19 07:20 · Score: 2, Informative

Don't run X as root. Who does that these days?
Who? People that run proprietary drivers from Nvidia or ATI do. So do people that use drivers from less popular vendors that don't yet have KMS in their drivers (KMS is not in every open driver yet). It's enough to stop most distros from shipping with X running as another user.
Re:I Wish I Had the Luxury of Worrying About This. by mlts · 2010-08-19 07:32 · Score: 3, Insightful

I'd say that putting any OS on the Internet without a reasonable firewall is a poor idea, the exception being a laptop [1] just out of necessity. Yes, most operating systems are hardened, but what brings the bugs are the applications that run on them. This is why having a hardened machine with as little running on it as possible is essential between the general purpose computers and the rest of the Internet.
[1]: I have seen tiny embedded Linux adapters just bigger than an Ethernet plug. Why can't laptop makers build a tiny firewalling router into one of those and mount it on the motherboard? This way, it doesn't matter what OS is, attacks from remote will be minimized, and one could configure it to disallow outgoing ports (such as port 25) that the laptop shouldn't ever need to go out on. I'm sure similar functionality can be done for Wi-Fi. As an added bonus, if a machine gets DoS-ed, it won't be the main CPU that has to sort out the offending packets, but the one on the built in firewall.
First Hand Information is Priceless by crunchy_one · 2010-08-19 08:12 · Score: 2, Informative

Here's a link to the original advisory. It's worth a read as it contains useful remediation advice: http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt
Re:I Wish I Had the Luxury of Worrying About This. by HangingChad · 2010-08-19 09:23 · Score: 2, Informative

but better security is not one of them.
And you'd be wrong. Even with a directly connected Linux box it takes someone manually targeting that machine. As far as I know, no one has successfully automated *nix hacking and certainly not any kind of effective drive-by attack. Even if the automated attack gets a foot in the door, they still have to manually find a way to escalate privileges.
If you still believe this, put up a Linux server completely exposed to the Internet, and broadcast all over IRC that your server is badass and can't be hacked.
Connect that same box running Windows directly to the internet and you don't even have to announce its presence. It's like auto-hork.
Linux doesn't have the security issues that Windows does, but mostly it's because its less popular,
Another fallacy. If that were true then the exploits out in the wild should be relative to percentage of machines running that OS. And yet there aren't any. That popularity tripe was a talking point from a MSFT PR firm advertising campaign that went around a few years ago.

--
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Re:I Wish I Had the Luxury of Worrying About This. by fandingo · 2010-08-19 10:54 · Score: 2, Interesting

Actually, even though Nvidia does not support KMS their drivers do support running X as a normal user. Users of the ATI proprietary drivers are SOL.
Using KMS does not automatically remove the root requirement. For example, Ubuntu uses KMS drivers for many cards currently, but one of the big improvements for 10.10 will be to run X as a normal user with some drivers.
Re:I Wish I Had the Luxury of Worrying About This. by oakgrove · 2010-08-19 16:22 · Score: 2, Insightful

What you're saying is that Linux is totally bulletproof, as long as you run it as much as possible like an iPhone -- trusting only applications that your OS provider says are okay, and that it's not reasonable to examine it in a situation where that's not the case.
How is installing applications from the repos anything like using an iPhone? With Linux, I can install any application I want from anywhere I want as long as it's compatible (just like most other OS's). I can compile from source, write and run my own code on it, whatever floats my boat. I and most other Linux users get most of our software from the repositories because 99 percent of anything you'd want to install is in there and the packages in the repos are generally well tested to work with the system you are using. It would be foolish to not use them. With the iPhone, unless you jailbreak it, you're locked in. That's a walled garden. No Linux distro I've ever used has worked like that at all.

--
The soylentnews experiment has been a dismal failure.