Microsoft released a security advisory in response to a potential exploit, known as DLL preloading or binary planting, which has been found to impact hundreds of third-party Windows applications–possibly including software developed by Microsoft itself. Unfortunately, this isn’t a simple Windows vulnerability that Microsoft can fix with its next patch release, so it’s important that you understand the flaw and what is at risk, as well as what you can do to protect your systems.
Microsoft senior security response communications manager Christopher Budd explained in a Microsoft Security Response Center blog post “This is different from other Microsoft Security Advisories because it’s not talking about specific vulnerabilities in Microsoft products. Rather, this is our official guidance in response to security research that has outlined a new, remote vector for a well-known class of vulnerabilities, known as DLL preloading or “binary planting” attacks.”
What is Binary Planting?
According to a post on the Microsoft Security and Defense Research blog, “When an application loads a DLL without specifying a fully qualified path name, Windows will attempt to locate the DLL by searching a defined set of directories…For the sake of this issue, its sufficient to say that if an attacker can cause an application to LoadLibrary() while the application’s current directory is set to an attacker-controlled directory, the application will run the attacker’s code.”
How Big is the Problem?
While Microsoft acknowledges that it is investigating internal software code to determine if Microsoft products are impacted as well, some researchers feel Microsoft is downplaying the possibility. Andrew Storms, director of security operations for nCircle, noted “The big question of the day doesn’t concern third party application developers that didn’t follow Microsoft’s programming advice and so are vulnerable to this category of attack. The big question is: which of Microsoft’s own products are vulnerable?”
One security firm has issued the blunt warning “we can safely say that all Windows users can at this moment be attacked via at least one remote binary planting vulnerability.”
How Can This Flaw be Exploited?
If an attacker lures a user to open a remote file using a vulnerable program (one that does not load external libraries securely), the file may attempt to load one of its libraries from the remote location. If a specially crafted malicious library is loaded from the remote location, it may allow the attacker to execute malicious code on the remote compromised PC.
Network file systems such as WebDAV and SMB offer remote attack vectors that an attacker can use to provide malicious files and attempt to exploit this flaw. A successful attack would grant access on the vulnerable system to the attacker with the same user rights as the currently logged-on user. If the logged-on user has administrative privileges, the attacker can install other malicious software, change or delete data, and have carte blanche on the compromised machine.
How Can These Attacks Be Prevented?
Microsoft can’t simply patch the vulnerability, but it did develop a tool that IT admins can use to control external library loading behavior and mitigate the threat. The tool allows IT admins to set two registry keys to modify how Windows responds to potential binary planting attacks. One registry key sets behavior on a system-wide basis, and the other registry key controls library loading behavior on a per-application basis.
nCircle’s Storms offered stronger guidance for mitigating remote attacks. “At this point, the best mitigation advice we have is to block SMB at the perimeter and disable web client service.”
Given the nature of the flaw, and the vast number of software developers involved, it doesn’t seem like there will be any overnight fix, or magic patch to address this issue. IT admins need to assess the risk posed by binary planting, and apply appropriate controls to prevent attack.