Researcher told Microsoft of Windows apps zero-day bugs 6 months ago
University researcher joins list of academics who claim that many Windows programs are vulnerable to attack due to way they load components
Microsoft has known since at least February that dozens of Windows applications, including many of its own, harbor bugs that hackers can exploit to seize control of computers, an academic researcher said Sunday.
At least four of the bugs can be exploited remotely, Taeho Kwon, a Ph.D. candidate at the University of California Davis, said in a paper he published in February and presented last month at an international conference.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Kwon added his voice to a growing chorus of researchers who claim that a large number of Windows programs are vulnerable to attack because of the way they load components.
Last week, U.S. researcher HD Moore said he had found at least 40 vulnerable applications, including the Windows shell. The next day, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began four months ago.
According to Moore, Acros and now Kwon, many Windows programs can be exploited by hackers who trick users into visiting malicious Web sites because of the way the software loads code libraries -- dubbed "dynamic-link library" in Windows, which marks them with the ".dll" extension. If hackers can plant malware disguised as a .dll in one of the directories an application searches when it looks for the library, they can hijack the PC.
On Saturday, Kwon claimed his work preceded Moore's and Acros'.
In the paper he presented last month at the International Symposium on Software Testing and Analysis (ISSTA), Kwon said that he had submitted a bug report to the Microsoft Security Response Center (MSRC).
"[MSRC] is working with us to develop necessary patches," said Kwon in the paper, which also carried the name of his advisor, Zhendong Su, an associate professor in the school's computer science department.
Kwon's paper detailed the systemic problem in Windows applications' loading of .dlls, listed 28 programs that collectively contained over 1,700 separate bugs, and spelled out how hackers could exploit those vulnerabilities.
He also developed a tool to detect unsafe .dll loads, then ran it on several popular programs. But unlike Acros, which used its own tool to do the same, Kwon named the software that failed the test.
According to Kwon, all the major applications in Microsoft's Office 2007 suite are vulnerable, as are Internet Explorer 8 (IE8), Firefox, Chrome, Opera and Safari browsers; PDF viewers including Adobe Reader and Foxit; instant messaging clients such as Windows Live Messenger, Skype and Yahoo Messenger; and multimedia players like QuickTime, Windows Media Player and Winamp.
In many cases, the applications he tested have been superseded by newer versions that may have been patched in the interim. For example, Kwon tested Mozilla's Firefox 3.0, which has been retired in favor of Firefox 3.5 and Firefox 3.6.
Kwon did not immediately respond to a second round of questions Sunday, including when he tested the applications for the .dll loading vulnerability.
But the UC Davis researcher, who classified the vulnerabilities as "resolution failure" and "resolution hijacking" bugs, noted that the flaws are not new.
