Feeds

Microsoft confirms code-execution bug in Windows apps

'Cannot directly be addressed in Windows'

  • alert
  • submit to reddit

SANS - Survey on application security programs

Microsoft on Monday warned of a vulnerability in Windows applications made by third-party developers that allows remote attackers to execute malicious code on end-user PCs.

The company's security team is still investigating whether any Microsoft programs are susceptible to the so-called binary planting or DLL preloading attacks. Until patches are available, it said admins should run a new software tool that changes the way Windows loads application library files or disable several networking features to blunt attempts to exploit the flaw.

“Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory,” members of the Microsoft Security Response Center wrote here. “Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads.”

The advisory confirmed previous reports that the attacks exploit a weakness in the way programs load associated libraries. The corresponding binary files can be located in a variety of directories, including those on networks controlled by a malicious hacker.

The attack works because many applications ignore best security practices and search for the library based only on the file name, rather than the full directory path, the advisory said. When the current working directory is set to one controlled by the attacker, it's possible to cause load a malicious file.

The advisory didn't say how many applications are vulnerable. In an interview last week, Mitja Kolsek, CEO of application security firm Acros Security, said his company has identified about 200 Windows susceptible programs and warned there could be more.

H D Moore, CSO and chief architect of the Metasploit project, has said at least one component of Windows is also vulnerable.

Microsoft's advisory repeated Moore's previous guidance that admins disable WebDAV and block outgoing SMB connections on ports 445 and 139. Redmond has also released a software tool that changes the way Windows searches for DLL files. Different versions of Windows requires a specific versions of the tools. Download locations are here. Microsoft has additional details here and here.

Moore has also published this post with a wealth of information. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.