More Windows Apps at Risk Following iTunes Patch?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

A critical bug in iTunes for Windows has already been patched, but it may turn out many more Windows applications are at risk, according to a leading security expert.

The bug was initially identified by Slovenian bug sleuthing firm Acros Security, which said in a security advisory issued Wednesday that it had already notified Apple (NASDAQ: AAPL).

Apple said it fixed the problem with iTunes 9.1 months ago, according to an Apple advisory. The security hole affects iTunes running on Windows XP, Vista, and Windows 7.

However, the problem appears to be much more widespread, HD Moore, chief security officer at security firm Rapid7 and chief architect of the Metasploit hacking tool, said on Twitter Wednesday.

"The cat is out of the bug [sic], this issue affects about 40 different apps, including the Windows shell: http://bit.ly/bFrilm," Moore's tweet said.

However, Moore did not give any examples of other Windows applications at risk for the flaw except the Windows Shell. Ironically, Microsoft released a so-called "out-of-band" patch for another problem in the Windows Shell earlier this month -- a zero-day security hole that surfaced in mid-July.

Although Acros posted a discussion of the bug in its advisory, the company declined to give specifics that might lead hackers to figure out how to exploit the security flaw.

"Additional details are available to interested corporate and government customers under NDA, as public disclosure would reveal too many details on the vulnerability and unduly accelerate malicious exploitation," Acros said in its post.

Meanwhile, what is known is that an exploit would involve an attacker planting a malicious dynamic link library (DLL) on a network share and tricking the user into opening a media file from that location. Acros posted a workaround, which involves blocking all outbound Microsoft network protocols via the firewall, but Acros admitted that would not completely void the threat.

Neither has anyone -- Moore or Acros -- listed other programs that might be affected by the hole.

Calls to Moore at Rapid7 were not returned by publication time.

"Microsoft is investigating reports of a possible remote code execution vulnerability affecting software running on Windows," Christopher Budd, response manager in the Microsoft Security Response Center, said in an e-mailed statement to InternetNews.com.

"When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem," Budd added.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.

Follow eSecurityPlanet on Twitter @eSecurityP.