Microsoft is making a mitigation tool available to help organizations and developers deal with a class of vulnerabilities affecting hundreds of third-party Windows applications.
issued an advisory Aug. 23 for application developers and customers
about a security issue impacting hundreds of third-party programs.
The week of Aug. 16, security researchers revealed that scores of
applications running on Windows are affected by a class of vulnerabilities
dubbed remote "binary planting" bugs by Acros Security. The
situation, Microsoft said, is "caused by applications passing an
insufficiently qualified path when loading an external library."
According to Acros Security CEO Mitja
Kolsek, the company found more than 200 vulnerable applications from about a
hundred different vendors, with 520 binary planting issues identified in those
applications. Seventy-percent of these bugs are DLL (dynamic link library)
loading issues; the rest were due to insecure loading of executables such as
.exe or .com files.
"It's really trivial to exploit these bugs-you only need to place some
interesting-looking file on a remote share and put a malicious DLL alongside it
(you can mark it as 'hidden' so the user won't see it)," Kolsek told eWEEK
in an e-mail. "Then you have to either lure the user into opening the file
with lightweight social engineering or, if operating inside a corporate
network, simply wait for users to start opening the file."
"When the application loads one of its required or optional libraries,
the vulnerable application may attempt to load the library from the remote
network location," Microsoft explained in its advisory. "If the
attacker provides a specially crafted library at this location, the attacker
may succeed at executing arbitrary code on the user's machine." Remote
binary planting bugs "can be exploited over network file systems such as ...
WebDAV and SMB."
To prevent these kinds of attacks, Microsoft
has issued guidance for developers working with .DLL files. The company
also released an "optional
mitigation tool that helps customers address the risk of the remote attack
vendor through a per-application and global configuration setting."
a class of vulnerabilities, binary planting bugs have been known of for
"Although Microsoft has been providing the SetDllDirectory function to
developers for a long time, our research shows that almost no applications have
been using it to remove the current working directory from the search
path," Kolsek said. "We assume this is because the developers weren't
aware of the risks and could see no benefit in calling this function. Mind you,
this function can also cause problems with third-party code integrated in, or
'plugged in,' to an application, and it only solves the DLL part of the problem
while leaving executable-loading insecure."
Though the problem affects some Microsoft applications, the underlying issue
is something each application vendor will have to address, HD Moore, chief
security officer at Rapid7, wrote on the company's security blog. In the
meantime, organizations can mitigate the situation by blocking outbound
SMB and WebDAV connections at the perimeter and disabling the Web Client
server on all their desktops through group policy, he advised.
"There are some workarounds that can be put in place in the short term
and these will have a side effect of blocking similar exploits in the
future," Moore wrote.