Researcher: Code-execution bug affects 200 Windows apps

Ain't no cure for binary-planting blues


About 200 Windows applications are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files for the Microsoft operating system, a security researcher said Thursday.

The critical vulnerability, which has already been patched in Apple's iTunes media player for Windows and VMware Tools, will be especially challenging to fix, because each application will ultimately need to receive its own patch, Mitja Kolsek, CEO of application security consultancy Acros Security, told The Register. He agreed with fellow researcher H D Moore, who on Wednesday said the critical vulnerability is trivial to exploit.

At the time, Moore estimated 40 programs were vulnerable, but security experts from Slovenia-based Acros have found that about 200 of the 220 applications they've tested so far suffer from what they're calling the binary-planting bug. They have yet to complete their inquiry.

“We are expecting that there should be many more,” Kolsek said. “We were just looking for those vulnerabilities that were exploitable in terms of the user double-clicking a document or doing a couple of things with the menu.”

Acros researchers alerted Microsoft to the vulnerability about four months ago and have been working with members of its security team since then to coordinate a fix with the many affected parties. They had been working in secret until Wednesday, when word of the bug first leaked out, he said. He said Microsoft may be able to release some sort of temporary fix while something more permanent is pending.

On Wednesday evening, a Microsoft spokeswoman said the company was investigating the report and would release more details when the inquiry was completed. This article will be updated if Microsoft has anything new to say.

The only other software known to be affected is one or more components in Windows. Both Moore and Kolsek have declined to provide further details, except for a Twitter from post from Moore that said the vulnerability may been reported, in part, 10 years ago. Moore also tweeted that additional information would come on Monday.

So far, what's known about the vulnerability comes mostly from an advisory Acros issued for the iTunes patch. The bug allows attackers to execute malicious code on Windows machines by getting the media player to open a file located on the same network share as a maliciously designed DLL file, it said. In some cases, the bugs can be exploited to execute EXE files and other types of binaries, as well, Kolsek said.

Until a fix is in place users can lessen their exposure by blocking outbound SMB connections on ports 445 and 139 and on WebDAV, but Kolsek reiterated that will do nothing to prevent attacks that originate on local networks, and that can be a problem in large organizations, where compromises of one machine can be used as a jumping-off point to infect other PCs or workstations.

“To own a single computer inside a network is very easy,” he said. “This type of vulnerability would make it really easy to get from this computer to owning some more interesting computers, for example, those belonging to admins. The external firewall would obviously not stop that.” ®

This article was updated to correct the spelling of Mitja Kolsek's name.


Other stories you might like

  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He also agreed to forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting millions from dozens of companies worldwide.

    Continue reading
  • City-killing asteroid won't hit Earth in 2052 after all
    ESA ruins our day with some bad news

    An asteroid predicted to hit Earth in 2052 has, for now, been removed from the European Space Agency's list of rocks to be worried about.

    Asteroid 2021 QM1 was described by ESA as "the riskiest asteroid known to humankind," at least among asteroids discovered in the past year. QM1 was spotted in August 2021 by Arizona-based Mount Lemmon observatory, and additional observations only made its path appear more threatening.

    "We could see its future paths around the Sun, and in 2052 it could come dangerously close to Earth. The more the asteroid was observed, the greater that risk became," said ESA Head of Planetary Defense Richard Moissl. 

    Continue reading
  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • Intel demos multi-wavelength laser array integrated on silicon wafer
    Next stop – on-chip optical interconnects? Plus it's built with 300mm tech, meaning potential volume production

    Intel is claiming a significant advancement in its photonics research with an eight-wavelength laser array that is integrated on a silicon wafer, marking another step on the road to on-chip optical interconnects.

    This development from Intel Labs will enable the production of an optical source with the required performance for future high-volume applications, the chip giant claimed. These include co-packaged optics, where the optical components are combined in the same chip package as other components such as network switch silicon, and optical interconnects between processors.

    According to Intel Labs, its demonstration laser array was built on the company's well-established 300mm wafer manufacturing technology which is already used to make optical transceivers, paving the way for high-volume manufacturing in future. The eight-wavelength array uses distributed feedback (DFB) laser diodes, which apparently refers to the use of a periodically structured element or diffraction grating inside the laser to generate a single frequency output.

    Continue reading
  • Ex-Uber security chief accused of hushing database breach must face fraud charges
    Company execs and their lawyers are paying close attention to this one

    A US judge yesterday threw out an attempt to dismiss wire fraud charges against a former Uber employee accused of trying to cover up a computer crime.

    Former Uber security chief Joseph Sullivan is set to face criminal charges after US District Judge William Orrick yesterday [PDF] rejected his claim that prosecutors did not "adequately" allege that the goal of the claimed misrepresentation of the security breach was to get Uber's drivers to stay with the platform and continue paying service fees.

    In December last year, a federal grand jury handed down a superseding indictment adding wire fraud to the list of charges pending against Sullivan for his role in the alleged attempted cover-up of the 2016 security breach at Uber. The incident led to around 57 million user and driver records being stolen.

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • US seeks exascale systems 10 times faster than current state-of-the-art computers
    China claims to have 10 in the pipeline and may pull ahead in HPC arms race

    The US Department of Energy is looking to vendors that will help build supercomputers up to 10 times faster than the recently inaugurated Frontier exascale system to come on stream between 2025 and 2030, and even more powerful systems than that for the 2030s.

    These details were disclosed in a request for information (RFI) issued by the DoE for computing hardware and software vendors, system integrators and others to "assist the DoE national laboratories (labs) to plan, design, commission, and acquire the next generation of supercomputing systems in the 2025 to 2030 time frame."

    Vendors have until the end of July to respond.

    Continue reading

Biting the hand that feeds IT © 1998–2022