facebook rss twitter

Microsoft acknowledges DLL vulnerability

by Pete Mason on 25 August 2010, 17:34

Tags: Office 2010, Microsoft (NASDAQ:MSFT)

Quick Link: HEXUS.net/qazqx

Add to My Vault: x

This week Microsoft acknowledged a security hole in Windows that could allow malicious software to control a computer by taking advantage of a flaw in the way DLLs are loaded.  While there are a few workarounds, there is currently no universal fix for the problem.

The vulnerability - referred to as binary planting or DLL preloading - arises because certain programs don't specify the qualified path to an external link-library that they need to use.  An attacker can exploit this by planting malicious code into a DLL that will allow the system to be remotely controlled when executed. 

Unfortunately, the problem isn't limited to Microsoft software.  Even though the company has previously issued guidance on how to properly avoid the problem as a matter of good practice, many developers haven't followed the recommended security protocols.  These include programs such as Windows Live Mail and Windows Movie Maker as well as the Windows versions of uTorrent and Firefox 3.6.  Even Micorosoft's recently released Powerpoint 2010 is reported to be vulnerable.

The latest version of Apple's iTunes was at risk, but an update was released after the flaw was originally discovered in that software.

Though the software-giant has reiterated its guidance to developers, there isn't a great deal that users can do to help secure their systems beyond following general good security-practices.  The best action is simply to update affected software as soon as fixes are released.  

Full details on the exploit are available in Microsoft's Security Advisory.

HEXUS Forums :: 7 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by TheAnimus - Wed 25 Aug 2010 18:07
Erm, Guys.

Am I missing something here?

Newsflash, non-cryptographically signed binaries can be replaced.

Surely the only way to do this is to change either the path environment variable or file system access. From the MSDN

The directory from which the application loaded.
The system directory.
The 16-bit system directory.
The Windows directory.
The current directory.
The directories that are listed in the PATH environment variable.

So the folder which contains the application, if an attacker has access to that, your screwed.
The system folder, generally considered a good idea to not have write perms there.
16 bit system folder, same rule.
windows directory, spotting a pattern?
current directory YES VECTOR FOR ATTACK.
PATH environment vector again. However…..

Both those require code to be running as the local user, UAC and protected mode in IE will alleviate this a bit.

My point is, if your already able to run code as a local user that can frig environment variables and write to the current folder of another application, which requires those two methods for finding binaries, then you've already lost complete control of your system.

More-over there is no escalation exploit mentioned?

Sorry to say, as much as I love to tell others to write their code better (whilst writing lazyly myself) this is a non story.
Posted by TheAnimus - Wed 25 Aug 2010 18:22
after a quick check with mate who is more knowledgeable, it seems like this is very similar to the one a year ago which introduced: BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE which effectively stops the searching of the current directory.

I think the idea was that a user could be tricked into saving something into C:\Documents\WilliamFitzgerald
then when running an app which required environment variable PATH lookup (argh!!!!!) it would inject.

But that is very unlikely surely?
Posted by g8ina - Wed 25 Aug 2010 20:18
Crikey, he's good isnt he :)

(not sarcasm, I am genuinely inmpressed!)
Posted by TheAnimus - Wed 25 Aug 2010 21:25
Yup, but the proud boy won't come work for me, even when I offer a big ass pay rise! He just likes the security research too much.

But this is a very different beast to the itunes issue, that was just sheer retardedness, it would look for a helper binary on a foreign location, load it as a current user in security unrestricted, and execute it.

This is more a throwback to 1992, rather than something anyone should be really using. 1-4 should be enough, and if your using 5, you should be damn well aware of it warts and all. If 6, well I hope you have a damn good reason.
Posted by Flash477 - Thu 26 Aug 2010 09:49
I find it ironic that most of the applications mentioned are Microsoft ones :rolleyes:

SEE NEWER »