40 Windows apps affected by critical code execution flaw

Some 40 Windows applications are affected by a critical vulnerability that can allow attackers to execute malicious code remotely and infect the computers with malware, says HD Moore, CSO at Rapid7 and creator of Metasploit.

He hinted at the existence of the flaw on Twitter, saying “The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,” and linking to a advisory by security firm Acros.

The advisory in question concerns a dynamic link library loading flaw in Apple iTunes for Windows, which allows a remote attacker to “plant a malicious DLL with a specific name on a network share and get the user to open a media file from this network location in iTunes – which should require minimal social engineering.”

“Since Windows systems by default have the Web Client service running – which makes remote network shares accessible via WebDAV -, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet,” say Acros researchers.

Moore did not specify which applications were affected, and offered but a few details about it.

“The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a ‘safe’ file type from a network share [either on the local network or the Internet]. It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content,” he revealed to ComputerWorld.

He also mentioned that more details will be revealed next week, and that they have already written an exploit module for Metasploit, but won’t be releasing it yet.

In the meantime, he advises users to block TCP ports 139 and 445 to block outbound SMB connections and to disable the Windows WebDAV client in order to block remote attacks. Still, the users will remain open to an attack within the network, but that is a lot less likely to happen.

Share this