Metasploit’s HD Moore was in the midst of researching the recently patched LNK (Windows shortcut) vulnerability when he stumbled upon a serious problem that exposes more than 40 different Windows software programs to remote code execution attacks. 

Moore issued a brief warning about the issue via Twitter and linked to a critical bulletin from Acros, a Slovenian security research outfit, that references a remote code execution bug patched in Apple’s latest iTunes update.

From Acros

A “binary planting” vulnerability in Apple iTunes for Windows allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users.

According to the advisory, all a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open a media file from this network location in iTunes – which should require minimal social engineering.

Since Windows systems by default have the Web Client service running – which makes remote network shares accessible via WebDAV -, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet.

A systematic attack could deploy malicious code to a large number of Windows workstations in a short period of time, possibly as an Internet worm.

“I ran across it working on the shortcut bug and about fell out of my chair,” Moore said in an interview. “It made the LNK exploit almost pointless.”

That LNK exploit, patched via an emergency out-of-band patch by Microsoft, was discovered as part of a sophisticated malware attack that combined the Windows zero-day flaw with security problems in SCADA systems and used stolen signed drivers to bypass security software.

Moore declined to provide details of the new security problem until he got a chance to brief Microsoft’s security response team on his findings.

“Anyone who worked on the shortcut exploit will know exactly what the issue is by now. A bunch of people know about it,” he said. “The bug is bad behavior on the part of certain Windows applications when loading files from a network share,” Moore added.

He declined to identify the 40 Windows applications that are vulnerable until after his discussions with Microsoft. “It’s a wide range of things that are vulnerable, some open-source as well as commercial.”

According to Computerworld’s Gregg Keizer, each affected application will have to be patched separately.

“The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a ’safe’ file type from a network share [either on the local network or the Internet],” Moore said in an e-mail reply to questions. “It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content.”

Moore is expected to go public with more details next Monday.

Categories: Malware, Vulnerabilities

Comment (1)

  1. Anonymous

    While downloading your Audit Kit my anti virus showed it as a high severity threat Malware in W32 with name of runcalc.dll. I wonder if this is an actual piece of Malware in your file that I d/l’ed or an example you were showing in the Audit Kit! Could your file contain this Malware?

    Wanted you to know about anyway. You probably do already!

    Please reply asap. Thank you

Comments are closed.