Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Critical bug in 40 different Windows apps

19 Aug 2010   #1
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 
Critical bug in 40 different Windows apps

Just when you thought we might get a break for a while......

Quote:
Metasploit’s HD Moore was in the midst of researching the recently patched LNK (Windows shortcut) vulnerability when he stumbled upon a serious problem that exposes more than 40 different Windows software programs to remote code execution attacks.
Read more:

HD Moore: Critical bug in 40 different Windows apps | ZDNet

Quote:
According to Computerworld’s Gregg Keizer, each affected application will have to be patched separately.
“The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a ’safe’ file type from a network share [either on the local network or the Internet],” Moore said in an e-mail reply to questions. “It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content.”
Moore is expected to go public with more details next Monday.



My System SpecsSystem Spec
.
19 Aug 2010   #2
Night Hawk

W7 Ultimate x64/W10 Pro x64 dual boot main build-remote pc W10 Pro x64 Insider Preview/W7 Pro x64
 
 

I just ran into another one worth a look over at ComputerWorld. Zero-day Windows bug problem worse than first thought, says expert

Here's an extract from that one.

Quote:
Zero-day Windows bug problem worse than first thought, says expert

'Most every Windows application' at risk, says Slovenian security firm that's working with Microsoft on fix

By Gregg Keizer
August 19, 2010 04:09 PM ET

Computerworld - An unpatched problem with Windows applications is much worse than first thought, with hundreds of programs, not just 40, vulnerable to attack, a Slovenian security company said today.

"It was a shocking surprise," said Mitja Kolsek, CEO of Acros Security. "It appears that most every Windows application has this vulnerability."

Yesterday, American researcher HD Moore announced that he had stumbled upon about 40 Windows applications with a common vulnerability, but he declined to name the programs or go into detail about the bug.

Today, Kolsek said that Acros has been digging into a new class of vulnerabilities for months. It has found more than 200 flawed applications harboring more than 500 separate bugs, he added, noting that the company had reported its findings to Microsoft more than four months ago.
My System SpecsSystem Spec
20 Aug 2010   #3
cluberti

Windows 10 Pro x64
 
 

It's nasty if it really is that widespread, but in reading how it's exploited it always comes back to, as usual, the weakest link in security is the user.
My System SpecsSystem Spec
.

20 Aug 2010   #4
Night Hawk

W7 Ultimate x64/W10 Pro x64 dual boot main build-remote pc W10 Pro x64 Insider Preview/W7 Pro x64
 
 

Even when running a simple search for something you can run into a bad site that will drop a bug on you. The best defense of course is a strong offense of more then one protection including IE filtering as well as common sense while browsing.

The IE filters would be there for the "hidden traps" while ofen the rest is from not being selective when looking at search results or going to the wrong places from the start. Strange emails with files attached is a loaded cannon often enough as well!
My System SpecsSystem Spec
24 Aug 2010   #5
Phone Man

Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
 
 

My System SpecsSystem Spec
24 Aug 2010   #6
Tews

64-bit Windows 8.1 Pro
 
 

There will be a fix for this pushed out through Windows Update soon ... I hope..
My System SpecsSystem Spec
24 Aug 2010   #7
fireberd

Windows 10 64 bit
 
 

As usual with these "security flaws" that are found this one requires a combination of certain events for it to be an issue.
My System SpecsSystem Spec
24 Aug 2010   #8
Night Hawk

W7 Ultimate x64/W10 Pro x64 dual boot main build-remote pc W10 Pro x64 Insider Preview/W7 Pro x64
 
 

Here's the other version of the same advisory

Quote:
The Microsoft Security Response Center (MSRC)
Microsoft Security Advisory 2269637 Released

Posted Sat, Aug 21 2010
by MSRCTEAM

Overview

Today we released Microsoft Security Advisory 2269637. This is different from other Microsoft Security Advisories because it's not talking about specific vulnerabilities in Microsoft products. Rather, this is our official guidance in response to security research that has outlined a new, remote vector for a well-known class of vulnerabilities, known as DLL preloading or "binary planting" attacks. We are currently conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately.

Additionally, today we are providing a defense-in-depth update that customers can deploy that will help protect against attempts to exploit vulnerable applications through this newly identified vector. Finally, we are using our strong connections with researchers and partners in the industry to help address this new class of vulnerability. Our Microsoft Vulnerability Research program has been working to coordinate communication between the researcher who first brought this new vector to us and other application developers who are affected by this issue.

Technical Background

What this new research demonstrates is a new remote vector for DLL preloading attacks. These attacks are not new or unique to the Windows platform. For instance, PATH attacks that are similar to this issue constitute some of the earliest class of attacks against the UNIX operating system. The attack focuses on tricking an application into loading a malicious library when it thinks it's loading a trusted library. For this to succeed, the application has to call the trusted library by name instead of properly using its full path (for example, calling dllname.dll rather than C:\Program Files\Common Files\Contoso\dllname.dll). The attacker then has to place a malicious copy of the library in a directory that the system will search to locate the library and have that be a directory it will search before the directory where the trusted library actually is. For example, if an attacker knows that the application simply calls for dllname.dll (rather than using the full path) and it will look for dllname.dll in the current working directory before looking in C:\Program Files\Common Files\Contoso\. Then if the attacker can plant a malicious copy of dllname.dll in the current working directory, the application will load it first executing the attacker's code in the application's security context.

PATH or DLL preloading attacks have so far required the attacker to plant the malicious library on the local client system. This new research outlines a way an attacker could levy these attacks by planting the malicious library on a network share. In this scenario, the attacker would create a data file that the vulnerable application would open, create a malicious library that the vulnerable application would use, post both of them on a network share that the user could access, and convince the user to open the data file. At that point, the application would load the malicious library and the attacker's code would execute on the user's system.

Because this is a new vector, rather than a new class of vulnerability, the existing best practices that protect against this class of vulnerability, automatically protect against this new vector: ensuring that applications make calls to trusted libraries using full path names.

While the best protection is following best practices, we are able to provide an additional layer of defense by offering a tool that can be configured to disable the loading of libraries from network shares. In particular, because this is altering functionality, we encourage customers to evaluate this tool before deploying it. As part of your evaluation, we encourage you to review the information at the Security Research and Defense (SRD) blog.

We will continue our work with the researchers and the industry to identify and address vulnerable applications. And as always, we will update you with any new information we have through our security advisories, security bulletins and the MSRC weblog as appropriate.

Thanks

Christopher
Source

Not always a combination of things but if you run into a malware written to exploit this vulnerability you would see problems. You'll note the reference there for a tool that will disable the loading of certain libraries. Security Research & Defense - Site Home - TechNet Blogs
My System SpecsSystem Spec
24 Aug 2010   #9
Corrine

Windows 7 & Windows Vista Ultimate
 
 

Quote   Quote: Originally Posted by Tews View Post
There will be a fix for this pushed out through Windows Update soon ... I hope..
Not unless Microsoft identifies products affected by the vulnerabilities. Note from the quoted MSRC Blog article:

Quote:
We are currently conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately.
Microsoft has provided a tool that can be configured to disable the loading of libraries from network shares (see Knowledge Base article 2264107) but that doesn't help home computer users.

The people most likely to be impacted are those who use P2P file-sharing programs such as uTorrent. The Mitigating Factors in the Security Advisory are pertinent in this regard.

Quote:
This issue only affects applications that do not load external libraries securely.

For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
My recommendation: Protect your investment. Only download programs from reputable websites and do not use P2P file-sharing software programs.
My System SpecsSystem Spec
25 Aug 2010   #10
Corrine

Windows 7 & Windows Vista Ultimate
 
 

In part from The Register: Firefox, uTorrent, and PowerPoint hit by Windows DLL bug:

Quote:
A day after Microsoft confirmed a vulnerability in Windows applications that executes malicious code on end-user PCs, the first exploits have been released targeting programs including the Firefox browser, uTorrent BitTorrent client, and Microsoft PowerPoint.

The attack code was posted on Tuesday to the Exploit Database. It included exploits for the Wireshark packet sniffer, Windows Live email and Microsoft MovieMaker, in addition to those for the most recent versions of Firefox, uTorrent and PowerPoint.
My System SpecsSystem Spec
Reply

 Critical bug in 40 different Windows apps




Thread Tools




Similar help and support threads
Thread Forum
Minimized apps and Running apps not on task bar
Hello All I upgraded from Vista Ultimate 32 to 7 Ultimate 32. The only quirk I cannot solve is that I see no apps on my task bar. ANd when I minimize a window it does not go to the task bar as it should. It look like a small minimized window. See attached...
General Discussion
Windows 8 with critical issue
Hello. I am facing difficulties with my dell studio 1458. It has original windows 7 backup on its recovery partition. After installation of win 8, I was not able to use some application so I decide to go back to my previous win 7. But as I cannot uninstall win 8, I format my HDD except recovery...
General Discussion
32 bit apps cannot connect to network. 64 bit apps can.
I can only connect to the network using 64 bit applications on Window 7 Pro SP1. The problem occured after installing the latest version of iTunes (may or may not be related). I uninstalled iTunes with no change. IE 32 bit crashes after opening. Firefox opens but gives Server Not Found...
Network & Sharing
Windows 7 Non-Critical Updates 6/28/11
Downloaded and installed.
News
Researcher: 40 Windows Apps Affected by Critical Flaw
Details...
News


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 21:37.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App