Windows bug affects hundreds of programs

An unpatched Windows security flaw is much worse than previously thought - and could affect hundreds of programs, a Slovenian security company has revealed.

On Wednesday, American researcher HD Moore announced that he had identified a 'zero-day' vulnerability common to around 40 Windows applications. At the time, he refused to divulge details of what the problem was, or what programs it affected - but described the bug as "trivial" to exploit.

Now, researchers from Acros Security have revealed that hundreds of programs are vulnerable to attack, rather than just the 40 originally anticipated. These include popular titles such as iTunes for Windows.

"It was a shocking surprise," said Mitja Kolsek, CEO of Acros Security. "It appears that most every Windows application has this vulnerability."

Kolsek told US tech site Computerworld that Acros has been investigating a new type of Windows flaw for several months, and had uncovered more than 500 bugs affecting over 200 pieces of software.

According to Kolsek, the company told Windows maker Microsoft about the vulnerability - which he calls "remote binary planting" - more than four months ago.

"We examined a bunch of applications, more than 220 from about 100 leading software vendors, and found that most every one had the vulnerability," said Kolsek.

The problem lies with the way Windows loads and executes .dll, .exe and .com files.

"The main enabler for this attack is the fact that Windows includes the current working directory in the search order when loading executables," Kolsek said.

Hackers can exploit this flaw to trick a wide range of Windows applications into loading and running malicious files, just as they do legitimate ones.

The problem facing Microsoft is that most Windows applications rely on this technique to function - which may prevent the issue from being by a single patch. Instead, the problem may require individual application vendors to issue separate patches.

Kolsek said he expected Microsoft to "do something very quickly", but said he had no idea about the software giant's timetable.

Acros expects to publish more information on the vulnerability soon.