Microsoft warns of DLL flaw involving remote servers

Microsoft issued a security advisory this evening about an old hacking trick that could affect Windows systems via remote servers.

The hack involves a problem with poorly written applications that call libraries (.DLL files) without specifying a path. The application looks into the local directory for the library, and, at that point, it can load malware (disguised as the library file) that could enable the attacker to gain the same Windows network privileges as the user. While this problem is well known and referred to as "DLL preloading attacks" or "binary planting," the new information triggering this latest security advisory is that such attacks can be accomplished using remote servers.

Microsoft's security advisory (2269637) notes that the problem is confined to flawed applications that "do not load external libraries securely." Also, the vulnerable application has to access "an untrusted remote file system location or WebDAV share" for the exploit to occur. Microsoft describes this flaw as "a new attack vector" for such exploits, as it was previously conceived as just a potential problem confined to local servers.

The problem is either associated with remote servers using WebDAV (or "Web-based Distributed Authoring and Versioning"), which is used with Internet Information Services in Windows, or with remote servers using the Server Message Block (SMB) protocol. One potential mitigating factor that can thwart such attacks is that the SMB file sharing protocol is typically "disabled on the perimeter firewall," according to Microsoft's advisory.

Microsoft is currently offering workarounds for supported Windows versions, as described in the security bulletin. IT pros can use a tool described in Knowledge Base article 2264107 to implement them. This tool disables library loading from remote networks or from WebDAV shares. It does that for specific applications or it can work across Windows systems. However, Microsoft has not yet publicly identified what applications have the vulnerability.

IT pros can also block "TCP ports 139 and 445 at the firewall" to protect Windows systems, according to the security advisory. However, various applications and services may not work with those ports blocked.

In general, Microsoft recommends that IT pros should test Windows systems if applying the workarounds. Some functionality may be diminished, a Microsoft Security Response Center (MSRC) blog post warns.

The exploit was pointed out by various independent security researchers, and Microsoft is continuing to worth with them and the software industry to "identify and address vulnerable applications," according to the MSRC blog. Microsoft plans to notify the public through "security advisories, security bulletins and the MSRC weblog as appropriate."

The problem is quite broad, with all Windows applications potentially being suspect. Microsoft has published best practices for application developers to help avoid this issue, but the guidelines might not have been that clear, Microsoft acknowledged in a security research and defense blog post.

"We recently published an MSDN article, 'Dynamic-Link Library Security,' that provides specific guidance to developers on how to load these libraries securely," the blog explained.

Microsoft is examining its own applications to see if they are affected. However, Computerworld's Gregg Keizer has already received a description from one of the researchers involved, Taeho Kwon, indicating that Microsoft Office 2007 and Internet Explorer have the flaw.

Keizer also noted that HD Moore, chief security officer at Rapid7, and Slovenian security company Acros, have noted the vulnerabilities. Acros found "more than 200 flawed Windows programs," according to Keizer's story.

About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including Redmondmag.com, RCPmag.com and MCPmag.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above