HD Moore, of Rapid7 and creator of the open-source Metasploit penetration-testing toolkit, revealed that “About 40 different Windows apps contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware.” The flaw was originally discovered in iTunes for Windows, and was patched by Apple four months ago with iTunes 9.1.
“He said a wide range of apps are affected, and it was found while looking into another flaw involving Windows shortcuts, which Microsoft patched in an emergency update. The flaw exists in how the programs handle malformed DLLs. While the methods to trigger the hole differ slightly from app to app, execution causes the hole to open which allows hacker to execute arbitrary code and/or install malware on the infected machine.”
To fix the problem: Moore said “each app would have to be patched on its own.” Users concerned with this vulnerability should block outbound TCP ports 139 and 445, as well as disabling WebDAV client.