New Windows vulnerability: Applications download malicious code from the net

Apparently it is possible to exploit the way Windows downloads libraries for third-party applications, to execute arbitrary programs on victims' systems. According to various reports, the problem exists because applications that retrieve linked data (safe files) from external sources, also try to download certain libraries from the same place.

For example – an attacker deposits an MP3 file as well as a specially crafted DLL (with the required name) on a network volume. The victim starts a media player to play the MP3 and potentially also downloads the DLL, executing the attacker's code during start-up. A successful attack requires the victim opening the lure file on the network volume. This is something attackers can generally achieve via social engineering techniques.

Which exact applications are affected is yet unknown. However, the vulnerability can reportedly also be exploited via HTTP and WebDAV. Metasploit developer HD Moore says that the problem affects around 40, mostly third-party, applications and that there are "some surprises". No further details, for instance which versions of Windows are affected by the flaw, have become available. Moore intends to disclose more information soon.

Microsoft say they have been informed of the problem and are currently investigating it. The issue was made public yesterday (Wednesday) after security firm ACROS released a bug report describing a very similar problem in Apple's iTunes for Windows – the flaw was fixed in iTunes 9.2.1 four weeks ago.

In absence of a patch and with no information about affected applications available, the only currently advisable workaround is to block SMB and WebDAV connections to the internet.

(crve)