We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,678 News Articles

Hundreds of Windows apps vulnerable to attack

Zero-day bug problem worse than first thought

An unpatched problem with Windows applications is much worse than first thought, with hundreds of programs, not just 40, vulnerable to attack, according to a Slovenian security company.

"It was a shocking surprise," said Mitja Kolsek, CEO of Acros Security. "It appears that most every Windows application has this vulnerability."

Earlier this week, American researcher HD Moore announced that he had stumbled on about 40 Windows applications with a common vulnerability, but declined to name the programs or go into detail about the bug.

Yesterday, Kolsek said that Acros has been digging into a new class of vulnerabilities for months, has found more than 200 flawed applications harbouring more than 500 separate bugs, and reported its findings to Microsoft more than four months ago.

In other words, the problem is much more widespread than Moore let on.

"We examined a bunch of applications, more than 220 from about 100 leading software vendors, and found that most every one had the vulnerability," said Kolsek. Acros built a specialised tool to help its researchers pinpoint which applications were vulnerable.

According to Kolsek, the bug is in how most applications load and execute code libraries - ".dll" files in Windows - and executables, including ".exe" and ".com" files. He dubbed the class of bugs as "remote binary planting", and said the flaws could be easily exploited.

"The main enabler for this attack is the fact that Windows includes the current working directory in the search order when loading executables," he said. Hackers can use that to trick a wide range of Windows applications into loading malicious files, just as they normally do their own .dll or .exe files.

Most Windows applications rely on the functionality to operate, a problem that may prevent Microsoft from issuing a single patch. Although Microsoft could patch Windows to change the functionality, Kolsek at one point said he believed that such a fix could break scores of applications.

"I'm very confident that Microsoft will come up with a solution that will work fairly well for most people," said Kolsek. "But it's not going to remove the problem."

If Microsoft doesn't come up with a fix, application vendors may have to issue separate patches. Another option may be for Microsoft to issue an update targeted at developers, who would then use it to patch their own code, a tactic used two years ago when it addressed a bug in the ATL (Active Template Library) code library.

Kolsek also said that he thought Microsoft would have some kind of solution sooner than later. "They'll do something very quickly," he said. He added that he wasn't privy to Microsoft's schedule.

Acros plans to publish more information on the vulnerability class soon.


IDG UK Sites

Top 5 Android tips and tricks for smartphones and tablets

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

BBC using Glasgow 2014 Commonwealth Games to trial 4K/UHD, pan-around video, augmented video and...