Slashdot Mirror

← Back to Stories (view on slashdot.org)

40 Windows Apps Said To Contain Critical Bug

Posted by timothy on from the and-the-other-ones-are-worse dept.

CWmike writes "About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, says HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit. Gregg Keizer reports that the bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs. Moore did not reveal the names of the vulnerable applications or their makers, however. Each affected program will have to be patched separately. Moore first hinted at the widespread bug in a message on Twitter on Wednesday. 'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted, then linked to an advisory published by Acros, a Slovenian security firm."

17 of 158 comments (clear)

  1. The Parrot says it best. by Anonymous Coward · · Score: 4, Funny

    http://www.youtube.com/watch?v=wxlhyX-4qKI

  2. Really? by Anonymous Coward · · Score: 5, Funny

    Just 40?

  3. So little detail... by broken_chaos · · Score: 5, Insightful

    So there are forty unknown applications with an unknown flaw that results in code execution. This sounds like it includes web browsers (given the references to 'viewing a web page' in the article), but it doesn't specify which. It also doesn't specify what sort of file(s) (except in the case of iTunes -- a 'media file') are affected.

    So what're we supposed to do? There's no detail here, not even cursory detail, on what filetypes or applications to avoid. I'm fine with no details on the innermost workings of this exploit being widely disseminated, but why announce it with such fanfare if there's not even a way to avoid exposing yourself (i.e., listing these supposed '40 applications')?

    1. Re:So little detail... by 0123456 · · Score: 3, Funny

      There's no detail here, not even cursory detail, on what filetypes or applications to avoid.

      Presumably anything that runs on Windows would be a good first approximation.

    2. Re:So little detail... by parkrrrr · · Score: 3, Informative

      Slight self-correction: blocking SMB at the router and disabling the WebDAV client on all Windows machines. Still, there's a mitigation that should work for most people.

  4. Re:I Wish I Had the Luxury of Worrying About This. by 0123456 · · Score: 5, Interesting

    Then worry about this:

    Yeah, I'm far more worried about a _fixed_ exploit that requires I install a malicious GUI app than an active exploit that just requires I open a malicious Word document.

  5. Re:Oh noes! by mark72005 · · Score: 3, Insightful

    Exactly... I am dubious on Windows security, but I use Windows boxes all the time without issue due to basic security precautions and basic common sense.

    (Yes I realize most users do not have either)

  6. He tweeted... by MrMe · · Score: 5, Funny

    'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,'

    That sounds really bad!

    'The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,' he tweeted

    Oh, doesn't seem so bad now...

    1. Re:He tweeted... by clone53421 · · Score: 3, Funny

      @goofyspouse (817551): mind if I re-tweet this?

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  7. Re:Oh noes! by Ironhandx · · Score: 4, Insightful

    A lot of people need to learn the phrase : "Common sense is not so common".

  8. Re:Only 40? by Anonymous Coward · · Score: 3, Insightful

    Technically, any GUI app could gain root access, but this doesn't mean a computer running trusted applications (I trust the apps I run to not gain root and mess with my system) could be exploited without another bug.

    Still probably doesn't compare, and still very bad, but let's not turn it into a bigger scare than it really is.

  9. Shared Objects / Dynamically Linked Libraries by VGPowerlord · · Score: 4, Interesting

    I was under the impression that very few Windows applications were statically compiled... so why can't this just be updated in whatever shared object it uses again?

    I know he says

    There may be fixes that can be applied at the OS level, but these are likely to break existing applications.

    but what and why?

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  10. Re:I Wish I Had the Luxury of Worrying About This. by betterunixthanunix · · Score: 3, Insightful

    Or Joe Sixpack visits a website with a Flash applet, and there happens to be a vulnerability in Flash player that allows those applets to issue requests directly to the X server. Or, Joe Sixpack opens a PDF file using acroread, and there is a vulnerability in acroread. Or any number of other vulnerabilities; all an attack needs is to be able to issue requests directly to the X server.

    It really was not a trivial, uninteresting bug. It was a serious security problem for desktop Linux users that had been around for years.

    --
    Palm trees and 8
  11. Re:Only 40? by ByOhTek · · Score: 3, Insightful

    The problem is - trusted applications can have holes too.

    I mean, many people trust iTunes, and that was one of the apps with the holes (admittedly fixed).

    Are you 100% certain ALL of your trusted applications don't have holes, and the versions you ran in the last 7 years didn't have holes?

    The GUI issue was a HUGE problem - however it is/was fixed, which is the important part.

    --
    Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
  12. Re:Oh noes! by rbochan · · Score: 3, Funny

    A lot of people need to learn the phrase : "Common sense is not so common".

    These day it could be considered a super power.

    --
    ...Rob
    The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
  13. Re:I Wish I Had the Luxury of Worrying About This. by JesseMcDonald · · Score: 3, Insightful

    You misunderstand. The Xorg bug doesn't require a malicious GUI app; it just requires a perfectly normal GUI app with an exploitable vulnerability. So if OpenOffice.org (or Acrobat Reader, or Firefox, or any other document viewer) has a flaw which can be exploited by a malicious document, the Xorg bug turns that into a privilege-escalation vulnerability, circumventing not only the normal permission mechanisms but also tools such as SELinux sandboxes (which protect against malicious code running in the sandboxed user application, not the X server).

    --
    "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
  14. Re:I Wish I Had the Luxury of Worrying About This. by mlts · · Score: 3, Insightful

    I'd say that putting any OS on the Internet without a reasonable firewall is a poor idea, the exception being a laptop [1] just out of necessity. Yes, most operating systems are hardened, but what brings the bugs are the applications that run on them. This is why having a hardened machine with as little running on it as possible is essential between the general purpose computers and the rest of the Internet.

    [1]: I have seen tiny embedded Linux adapters just bigger than an Ethernet plug. Why can't laptop makers build a tiny firewalling router into one of those and mount it on the motherboard? This way, it doesn't matter what OS is, attacks from remote will be minimized, and one could configure it to disallow outgoing ports (such as port 25) that the laptop shouldn't ever need to go out on. I'm sure similar functionality can be done for Wi-Fi. As an added bonus, if a machine gets DoS-ed, it won't be the main CPU that has to sort out the offending packets, but the one on the built in firewall.