Microsoft issued an advisory Aug. 23 for application developers and customers about a security issue impacting hundreds of third-party programs.
The week of Aug. 16, security researchers revealed that scores of applications running on Windows are affected by a class of vulnerabilities dubbed remote “binary planting” bugs by Acros Security. The situation, Microsoft said, is “caused by applications passing an insufficiently qualified path when loading an external library.”
According to Acros Security CEO Mitja Kolsek, the company found more than 200 vulnerable applications from about a hundred different vendors, with 520 binary planting issues identified in those applications. Seventy-percent of these bugs are DLL (dynamic link library) loading issues; the rest were due to insecure loading of executables such as .exe or .com files.
“It’s really trivial to exploit these bugs-you only need to place some interesting-looking file on a remote share and put a malicious DLL alongside it (you can mark it as ‘hidden’ so the user won’t see it),” Kolsek told eWEEK in an e-mail. “Then you have to either lure the user into opening the file with lightweight social engineering or, if operating inside a corporate network, simply wait for users to start opening the file.”
“When the application loads one of its required or optional libraries, the vulnerable application may attempt to load the library from the remote network location,” Microsoft explained in its advisory. “If the attacker provides a specially crafted library at this location, the attacker may succeed at executing arbitrary code on the user’s machine.” Remote binary planting bugs “can be exploited over network file systems such as … WebDAV and SMB.”
To prevent these kinds of attacks, Microsoft has issued guidance for developers working with .DLL files. The company also released an “optional mitigation tool that helps customers address the risk of the remote attack vendor through a per-application and global configuration setting.”
As a class of vulnerabilities, binary planting bugs have been known of for years.
“Although Microsoft has been providing the SetDllDirectory function to developers for a long time, our research shows that almost no applications have been using it to remove the current working directory from the search path,” Kolsek said. “We assume this is because the developers weren’t aware of the risks and could see no benefit in calling this function. Mind you, this function can also cause problems with third-party code integrated in, or ‘plugged in,’ to an application, and it only solves the DLL part of the problem while leaving executable-loading insecure.”
Though the problem affects some Microsoft applications, the underlying issue is something each application vendor will have to address, HD Moore, chief security officer at Rapid7, wrote on the company’s security blog. In the meantime, organizations can mitigate the situation by blocking outbound SMB and WebDAV connections at the perimeter and disabling the Web Client server on all their desktops through group policy, he advised.
“There are some workarounds that can be put in place in the short term and these will have a side effect of blocking similar exploits in the future,” Moore wrote.