An insecurity expert claims that some key applications designed to run on Windows have a critical flaw that can be used by attackers to hijack PCs and infect them with malware.
HD Moore, chief security officer at Rapid7, who created the open-source Metasploit penetration-testing toolkit has refused to name the more than 40 outfits which have not updated their software.
He said that the problem, which was found by Acros, a Slovenian security firm, affects about 40 different apps, including the Windows shell.
Unusually it was an outfit not famous for its security which alerted users to the problem. Four months ago it actually patched its Windows versions of iTunes.
In its advisory, it detailed a vulnerability in iTunes for Windows that hackers could exploit by persuading users to download and open a malformed media file, or by duping them into visiting a malicious Web site, where they would fall prey to a drive-by attack by Apple, the bug does not affect Mac machines.
Acros worked out that the vulnerability was in more than just iTunes. It refused to publicly disclose the details of the fault as it would be possible to bring down huge numbers of systems.
Moore said he found the flaw while researching the Windows shortcut vulnerability, a critical bug that Microsoft acknowledged in July and patched on August the 2nd using one of its rare “out of band” emergency updates.
He said that the end result of the hack is that an attacker-supplied .dll gets loaded after the user opens a ‘safe’ file type from a network share. The attack is similar to the Windows shortcut vulnerability.
The work around is similar. lock outbound SMB [by blocking TCP ports] 139 and 445, and disable the WebDAV client in Windows, Moore is telling the PC World + dog.
Unfortunately is it is not a bug that Microsoft can fix by itself. It requires every affected vendor to produce a patch. The problem is with the software and not the Windows operating system. If Redmond creates a fix at the OS level, that is likely to break all the software.