Microsoft Issues Application Security Warning

Microsoft issued an advisory on 23 Aug. for application developers and customers about a security issue impacting hundreds of third-party programs.

The week of 16 Aug, security researchers revealed that scores of applications running on Windows are affected by a class of vulnerabilities dubbed remote “binary planting” bugs by Acros Security. The situation, Microsoft said, is “caused by applications passing an insufficiently qualified path when loading an external library.”

According to Acros Security CEO Mitja Kolsek, the company found more than 200 vulnerable applications from about a hundred different vendors, with 520 binary planting issues identified in those applications. Seventy-percent of these bugs are DLL (dynamic link library) loading issues; the rest were due to insecure loading of executables such as .exe or .com files.

Social Engineering

“It’s really trivial to exploit these bugs—you only need to place some interesting-looking file on a remote share and put a malicious DLL alongside it (you can mark it as ‘hidden’ so the user won’t see it),” Kolsek told eWEEK in an e-mail. “Then you have to either lure the user into opening the file with lightweight social engineering or, if operating inside a corporate network, simply wait for users to start opening the file.”

“When the application loads one of its required or optional libraries, the vulnerable application may attempt to load the library from the remote network location,” Microsoft explained in its advisory. “If the attacker provides a specially crafted library at this location, the attacker may succeed at executing arbitrary code on the user’s machine.” Remote binary planting bugs “can be exploited over network file systems such as … WebDAV and SMB.”

To prevent these kinds of attacks, Microsoft has issued guidance for developers working with .DLL files. The company also released an “optional mitigation tool that helps customers address the risk of the remote attack vendor through a per-application and global configuration setting.”

As a class of vulnerabilities, binary planting bugs have been known of for years. “Although Microsoft has been providing the SetDllDirectory function to developers for a long time, our research shows that almost no applications have been using it to remove the current working directory from the search path,” Kolsek said. “We assume this is because the developers weren’t aware of the risks and could see no benefit in calling this function. Mind you, this function can also cause problems with third-party code integrated in, or ‘plugged in,’ to an application, and it only solves the DLL part of the problem while leaving executable-loading insecure.”

Blocking Outbound SMB

Though the problem affects some Microsoft applications, the underlying issue is something each application vendor will have to address, HD Moore, chief security officer at Rapid7, wrote on the company’s security blog. In the meantime, organisations can mitigate the situation by blocking outbound SMB and WebDAV connections at the perimeter and disabling the Web Client server on all their desktops through group policy, he advised.

“There are some workarounds that can be put in place in the short term and these will have a side effect of blocking similar exploits in the future,” Moore wrote.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

12 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

15 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

17 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

1 day ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago