The list of apps affected by binary planting bugs includes programs such as Mozilla Firefox and Adobe Photoshop, as well as Microsoft apps like PowerPoint 2010.
The fallout from the binary planting vulnerabilities plaguing scores of
programs running on Windows continued today as more names of susceptible
applications became public and the number of exploits exploded.
listed dozens of vulnerable applications, including several
Microsoft programs. Among them are Microsoft Word 2007, Microsoft Office
PowerPoint 2010 and Microsoft Office Visio 2003. VUPEN Security also published
a list of vulnerable applications that featured programs such as Mozilla
Firefox and Adobe Photoshop.
"Thus far, we have not observed any in-the-wild attacks leveraging this
new attack vector, but we have heard some reports of limited exploitation,"
said Marc Fossi, manager of research and development for Symantec Security
Response. "This doesn't come as a surprise, however, since exploit code
for some applications affected by this issue is now public."
During the week of Aug. 16, researchers at Acros Security said they had
found more than 200 applications vulnerable to the bugs. Rapid7 Chief Security
Officer HD Moore also said at the time he had found dozens of vulnerable
applications on his own as well. Moore
an auditing tool
he developed to identify vulnerable applications
on a local machine more quickly.
According to Microsoft, binary planting bugs are caused by applications
passing an insufficiently qualified path when loading an external library. Most
of the bugs Acros Security found-which totaled 520-were DLL (dynamic link
library) file loading issues, while the rest were due to insecure loading of
executables such as .exe and .com files.
To exploit the issue, attackers need to trick users into opening a file
using a vulnerable program.
"When the application loads one of its required or optional libraries,
the vulnerable application may attempt to load the library from the remote
network location," Microsoft explained
in an advisory
released Aug. 23. "If the attacker provides a specially
crafted library at this location, the attacker may succeed at executing
arbitrary code on the user's machine." Remote binary planting bugs
"can be exploited over network file systems such as ... WebDAV
Microsoft has issued some
to help developers working with .DLL files avoid the
vulnerabilities as well as a
"that helps customers address the risk of the remote attack
vendor through a per-application and global configuration setting."
To mitigate the issue, organizations can also disable the WebClient service
or block TCP ports 139 and 445 at the
firewall, Microsoft advised.
Actually fixing the affected applications does not appear to be overly
difficult, Fossi said.
"However, the challenge is in the number of applications out there,
especially older programs, that are potentially vulnerable," he added. "Simply
raising awareness among application developers is going to be a major hurdle. ...
According to Microsoft, directly addressing this issue in Windows will result
in the loss of some expected functionality. As a result, they are recommending
that the onus be on application developers to fix it. However, we encourage
Microsoft to continue to look at ways to address this issue from a higher