navigation bar left navigation bar right

Secunia CSI7
navigation left tab About us navigation right tab
navigation left tab Careers navigation right tab
navigation left tab Memberships navigation right tab
navigation left tab Newsroom navigation right tab
navigation left tab Contact us navigation right tab
Blog
News
Articles

Microsoft Windows Insecure Library Loading

Get this blog as an RSS Feed
For the past week, there has been quite a stir about a new class of vulnerabilities or rather a new, remote vector for exploiting an old class of vulnerabilities: Insecure library loading.
11:27 CET on the 24th August 2010
Entry written by Carsten Eiram.

For the past week, there has been quite a stir about a new class of vulnerabilities or rather a new, remote vector for exploiting an old class of vulnerabilities: Insecure library loading.

This vulnerability class has been known for many years, but hasn't been taken that seriously in the past as it was believed to require an attacker to plant a malicious file in a directory within the search path on a user's system. However, the discovery of the remote vector just made this serious.

Yesterday, Microsoft issued a security advisory to warn about the remote attack vector along with blogs containing additional information from the MSRC and SRD teams.

The vulnerability is not in the Windows OS itself, but is caused by bad (insecure) programming practises in applications when loading libraries combined with how the library search order works in Windows. Ideally, when loading a library (or running an executable), a fully qualified path should be passed to the APIs used (e.g. LoadLibrary()). In case a programmer refrains from doing so and only supplies the library name, Windows searches for the file in a number of directories in a particular order.

These directories may include the current working directory, which leads to the core of the problem related to the new, remote attack vector as Windows eventually searches for the file on e.g. a remote SMB or WebDAV share if that happens to be the current directory. This is the case if a user e.g. is tricked into opening a file located on a remote share. By placing a malicious library, which a vulnerable application searches for, on the share it is loaded into the application and code is executed with the privileges of the user running it.

As the core problem is not in Windows, but rather caused by applications loading libraries insecurely (i.e. not supplying a fully qualified path or not initially calling SetDllDirectory() with a blank path), Secunia will not be issuing a general advisory for Windows. Instead, (likely, quite a lot of) advisories will be issued as affected applications are identified.

Currently, we are seeing reports from various researchers having identified everywhere between 40 to 200 vulnerable applications, but the actual number may be a lot higher as many programmers do not follow Microsoft's recommendation for secure library loading (this includes Microsoft's own programmers as, according to HD Moore, at least four affected Microsoft applications have been identified).

ACROS Security has already reported this vulnerability for Apple iTunes and it was fixed in version 9.1. HD Moore has also identified a large number of affected applications, but has not disclosed the list; instead, he has made an audit kit available to determine affected applications.

To protect against attacks, Microsoft has released a tool that helps system administrators and users to configure the search path order either on a per application basis or system-wide.

Companies can also mitigate remote exploitation by ensuring that SMB traffic is disabled on perimeter firewalls (TCP ports 139 and 445) and disable the WebClient service on all systems.

As this vulnerability is related to a general design problem, Windows security mechanisms like ASLR etc. provide no protection. It's simply a matter of opening a file located on e.g. a remote share using a vulnerable application and you're owned.

Stay Secure,

Carsten Eiram
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Microsoft Windows Insecure Library Loading
 
User Message
[+]

wang01

RE: Microsoft Windows Insecure Library Loading
This reply has been minimised due to a negative Relevancy Score.
Anthony Wells RE: Microsoft Windows Insecure Library Loading
Expert Contributor 26th Aug, 2010 11:51
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 26th Aug, 2010 11:51

As someone with just enough IT knowledge to be dangerous , I find this level of "unknown" insecurity to be very disconcerting :ie: 200 or more - so far - unnamed programmes likely to be exploitable .

With my (less than) average technical skill levels , I would not be overconfident of applying the M$ "tool" workaround(s) to my single PC with XP SP3 . Rightly or wrongly , it appears to me that I am less at risk because I am not connected to a network ; perhaps someone can qualify this ??

Firefox has just been implicated and is seemingly the first programme to affect me directly :-

http://secunia.com/advisories/41095/

So for now I shall be putting my faith in Secunia to keep me advised of when/if any other of my programmes display the vulnerability . It's easily the best defence I can find to suit my level of competence .

Quite what people without (access) to Secunia are going to do , I have no idea , but I doubt blind faith is the answer for today .

Take extra care

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+4
-2

Mondeo

RE: Microsoft Windows Insecure Library Loading
[+]
This reply has been minimised due to a negative Relevancy Score.
smurphdude RE: Microsoft Windows Insecure Library Loading
Contributor 29th Aug, 2010 08:50
Score: 107
Posts: 40
User Since: 13th Aug 2010
System Score: 100%
Location: UK
Last edited on 29th Aug, 2010 08:51
An unofficial list of applications affected by this vulnerability including those that have released a patch to date (VLC mediaplayer and uTorrent) can be found here.

http://www.corelan.be:8800/index.php/2010/08/25/dl...
Was this reply relevant?
+5
-4

gracegracegrace

RE: Microsoft Windows Insecure Library Loading
[+]
This reply has been minimised due to a negative Relevancy Score.
ddmarshall RE: Microsoft Windows Insecure Library Loading
Dedicated Contributor 1st Sep, 2010 15:53
Score: 1212
Posts: 968
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Microsoft have issued an article explaining how this vulnerability can be exploited.
http://blogs.technet.com/b/srd/archive/2010/08/31/...

The knowledge base article has also been updated to include an automatic Fixit which blocks attacks from remote locations.
http://support.microsoft.com/kb/2264107
The workaround tool must be installed before running the Fixit.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
edubr2010 RE: Microsoft Windows Insecure Library Loading
Member 18th Sep, 2010 13:15
Score: 1
Posts: 3
User Since: 13th Mar 2010
System Score: N/A
Location: BR
Last edited on 18th Sep, 2010 13:15
The remote vector has been known for ages. How come Microsoft have not realised it before ?

If you see this vulnerability: http://secunia.com/advisories/38916/
It uses the exact same "technique".
Was this reply relevant?
+0
-0
double0fox RE: Microsoft Windows Insecure Library Loading
Member 11th Oct, 2010 08:57
Score: 0
Posts: 1
User Since: 11th Oct 2010
System Score: N/A
Location: US
(unknown source)
Microsoft have issued an article explaining how this vulnerability can be exploited.
http://blogs.technet.com/b/srd/archive/2010/08/31/...

The knowledge base article has also been updated to include an automatic Fixit which blocks attacks from remote locations.
http://support.microsoft.com/kb/2264107
The workaround tool must be installed before running the Fixit.


Fix includes results for multiple versions of windows and uses Microsoft Fix It, and a hotfix for each respective OS.
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+