A serious security vulnerability in iTunes for Windows turns out to affect many other Windows applications -- and not just those from Microsoft or Apple -- according to a graduate student in California who says he warned the software giant about the problem almost a year ago.
Now, with the flaw having been exposed publicly last week, Microsoft (NASDAQ: MSFT) is moving fast to limit the damage from a vulnerability that experts say poses a danger even though Apple (NASDAQ: AAPL) patched the iTunes vulnerability months earlier.
On Monday, Microsoft issued a security advisory providing a fix for users and warning security administrators and developers about the problem.
It also said that it had continued working with the researcher, Taeho Kwon, a Ph.D. candidate in computer science at the University of California, Davis, since he first alerted it to the vulnerability.
The flaw stems from the fact that a hacker could plant a malicious Dynamic Link Library (DLL) in a Windows directory. There, it could execute code designed to compromise a user's PC when the DLL is loaded by an operating system or an application. Kwon and a colleague, U.C. Davis Associate Professor Zhendong Su, detailed the vulnerability in a paper published last month at the Association for Computing Machinery's International Symposium on Software Testing and Analysis in Trento, Italy.
"Our results show that unsafe DLL loading is prevalent and can lead to serious security threats," Kwon and Su said in the paper. "Our tool detected more than 1,700 unsafe DLL loadings in 28 widely used software and discovered serious attack vectors for remote code execution."
Kwon added in an email to InternetNews.com that he notified Microsoft's Security Response Center (MSRC) about the vulnerability in August 2009.
But all evidently remained quiet until Slovenian research firm Acros Security last week issued its own security advisory regarding the same problem. Acros had already alerted Apple, which fixed the problem in iTunes in February.
Widespread security threats?
Security industry luminary HD Moore, who serves as chief security officer at Rapid7 and chief architect of the Metasploit vulnerability testing tool, also got involved last week. He claimed in a Twitter update that the hole affected a lot more applications than simply iTunes -- "about 40 different apps, including the Windows shell."
Kwon and Su came to the same conclusion in their research. Their paper, titled "Automatic Detection of Unsafe Component Loadings," (PDF format) listed a number of programs that are susceptible to the DLL vulnerability, including several of Microsoft's Office applications running under Windows XP and Vista. (The paper does not mention Windows 7, although that system was not available commercially to consumers until October.)
Other affected programs included most popular browsers, as well as media players from several vendors, the researchers claim.
"We found more than 1,700 instances of unsafe dynamic loadings, 786 under XP and 982 under Vista," Kwon and Su wrote in their paper.
Microsoft Says Tool Fixes DLL Vulnerability, Blames Bad Programming
Meanwhile, Microsoft said it has a new tool to help protect against attacks that take advantage of the flaw. The tool works by creating a new Windows Registry key that Microsoft said enables users and IT admins to better control how applications seek out DLLs to load.
"This tool allows system administrators to mitigate the risk of the vulnerability in question by altering the library-loading behavior for the operating system or for specific applications," Christopher Budd, Microsoft's senior security response communications manager, said in an email to InternetNews.com.
At the same time, Microsoft blamed the vulnerability on poor programming techniques.
"This issue is caused by specific, insecure programming practices that allow so-called 'binary planting' or 'DLL preloading attacks.' These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location," Microsoft said in its advisory.
Additionally, the company said it is examining its own applications for the vulnerable programming, as well as contacting other developers to make sure they're aware of the issue and the workarounds Microsoft recommends, Budd said.