ZoNi Posted January 4, 2011 Posted January 4, 2011 Unpatched hole in ImgBurn disk burning application ImgBurn Logo According to security specialist Secunia, a highly critical vulnerability in ImgBurn, a lightweight disk burning application, can be used to remotely compromise a user's system. The security issue in the freeware program is reportedly caused by the application loading libraries (dwmapi.dll) in an "insecure manner", which can then lead to the execution of arbitrary code. The problem has been confirmed to affect version 2.5.4.0 of ImgBurn, the latest release from 12 December; however, previous versions are also likely to be vulnerable. For an attack to be successful, a victim must first open a specially crafted file. As such, users are advised to avoid opening untrusted files. http://www.h-online.com/security/news/item/Unpatched-hole-in-ImgBurn-disk-burning-application-1163003.html http://secunia.com/advisories/42798 @ Lighting UK: is this really that bad as it sounds?
LIGHTNING UK! Posted January 4, 2011 Posted January 4, 2011 It's due to the design of Windows when loading files (via 'LoadLibrary'). It'll attempt to load from the exe directory, current directory, system directory, windows directory and various places as per the 'PATH' environment variable... so if a fake/infected dwmapi.dll file was placed in one of those folders (remember that the ImgBurn folder is in 'Program Files' and that's locked down, and being a regular file, it'll need to have gotten past any AV on the system), when ImgBurn issues the 'LoadLibrary' command on said DLL file, it could load the fake/infected one rather than the real one in windows\system32. ImgBurn wouldn't normally be running as admin so it has no permission to do anything drastic anyway. So is it something I'm worried about... no, not really. ImgBurn is one of thousands of apps that have this 'vulnerability'.
LIGHTNING UK! Posted January 4, 2011 Posted January 4, 2011 It's all detailed here: https://www.microsoft.com/technet/security/advisory/2269637.mspx
LIGHTNING UK! Posted January 4, 2011 Posted January 4, 2011 FYI, the next version should be ok (or at least better!).
LIGHTNING UK! Posted January 13, 2011 Posted January 13, 2011 v2.5.5.0 is out now and should fix the vulnerability.
Recommended Posts