A Texas-based researcher claimed he had discovered that about 40 different Windows apps, including the Windows shell, suffer from a critical vulnerability that could open up users to attacks by hackers. The flaw was originally discovered in iTunes for Windows, and was patched by Apple four months ago with iTunes 9.1.
Rapid7 chief security officer HD Moore detailed his findings to Computerworld in an interview on Wednesday. He said a wide range of applications are affected, and it was found while looking into another flaw involving Windows shortcuts, which Microsoft patched in an emergency update.
The flaw exists in how the programs handle malformed DLLs. While the methods to trigger the hole differ slightly from application to application, execution causes the hole to open which allows the hacker to execute arbitrary code and/or install malware on the infected machine.
Apple said at the time that the issue only affected Windows versions of iTunes, and not the Mac. Since Mac OS X does not use DLL files, the attack does not work on that operating system. There is no reason to believe that a similar flaw exists on that platform, either.
A single patch from Microsoft will not fix the problem: Moore said that each application would have to be patched on its own. He also would not disclose the names of those applications affected in order to prevent any attacks from occurring.
Users concerned with this vulnerability should block outbound TCP ports 139 and 445, as well as disabling the WebDAV client. This was a similar suggestion given to users as a workaround if they could not install the update to patch the shortcut vulnerability.
It is not immediately clear why the issue affects so many applications, or what these applications may share in terms of development that could give clues to its origin. So far, those working on the flaw have stayed quiet, leaving only speculation as to what may be the cause.