Yesterday Microsoft released a security advisory addressing a bug in the way many applications are coded which could be exploited to attack Windows PCs. Microsoft was quick to point out that this new class of remote attacks is not related to specific vulnerabilities in Microsoft products, but that doesn't mean that Microsoft's applications are properly coded to avoid this issue either.
Christopher Budd, senior security response communications manager for Microsoft, explains the core issue behind the bug in a blog post. "These attacks are not new or unique to the Windows platform. For instance, PATH attacks that are similar to this issue constitute some of the earliest class of attacks against the UNIX operating system. The attack focuses on tricking an application into loading a malicious library when it thinks it's loading a trusted library. For this to succeed, the application has to call the trusted library by name instead of properly using its full path."
The binary planting--or DLL preloading--bug is an old, known flaw, but security researchers have found that it is much easier to exploit remotely than Microsoft may have previously believed. Budd stresses that the vulnerability is in the way applications are coded and not a function of Windows itself. He also states "We are currently conducting a thorough investigation into how this new vector may affect Microsoft products."
Stanka Šalamun of ACROS Security, the security research team that originally discovered this new attack vector, e-mailed to point me to the ACROS Security blog and inform me that his team shared "fully detailed bug reports for two of the 121 binary planting issues we'd thus far found in 41 Microsoft's applications."
Mitja Kolsek, the ACROS Security team member that authored the blog post, describes how ACROS has worked diligently with Microsoft to address this bug, but why his team didn't just give all of the information to Microsoft rather than Microsoft conducting a thorough investigation to uncover what ACROS already knows. Kolsek explains "While we did give them a list of their vulnerable products (with versions), we declined to provide the details for free (this is our core business after all)," adding "Microsoft respects our desire to get compensated for providing such valuable data, and we respect their policy of not paying for vulnerability information."
Budd stressed in his post that "Because this is a new vector, rather than a new class of vulnerability, the existing best practices that protect against this class of vulnerability, automatically protect against this new vector: ensuring that applications make calls to trusted libraries using full path names." But, apparently many Microsoft applications don't follow these existing best practices.
The bottom line is that at least 41 Microsoft applications are plagued by this binary planting issue according to ACROS Security's research. ACROS has pointed Microsoft in the right direction, and it's possible that Microsoft could uncover additional applications affected by this issue.
IT admins should understand the risks exposed through this bug, and the steps that can be taken to mitigate those risks--including using the tool developed by Microsoft. The problem exists well beyond the 41 identified Microsoft applications, and the ACROS Security team claims "we can safely say that all Windows users can at this moment be attacked via at least one remote binary planting vulnerability."