Wednesday, September 1, 2010

Microsoft DLL Path vulnerability "in the wild"

This has been getting a lot of play in the trade press over the past week or so.  It's a complicated issue, and there is no simple patch.  The Microsoft "Fixit" isn't just a one-click fix like most of their "Fixits", either.  The Krebs on Security article below has a good but technical discussion of the problem.

FWIW I haven't patched any of my personal computers, but I never browse the Internet with "Administrator" rights and I never execute files directly from remote servers.  If you are a home user and do not work using a "Limited User" account, you should read the Krebs article and decide if you should patch.  Several applications that I use, including the VLC media player, have already patched themselves to fix this.

US-CERT Current Activity: Insecure Loading of Dynamic Link Libraries in Windows Applications
added August 25, 2010 at 12:01 pm | updated September 1, 2010 at 10:27 am
US-CERT is aware of a class of vulnerabilities related to how some Windows applications may load external dynamic link libraries (DLLs). When an application loads a DLL without specifying a fully qualified path name, Windows will attempt to locate the DLL by searching a defined set of directories. If an application does not securely load DLL files, an attacker may be able to cause the affected application to load an arbitrary library.

By convincing a user to open a file from a location that is under an attacker's control, such as a USB drive or network share, a remote attacker may be able to exploit this vulnerability. Exploitation of this vulnerability may result in the execution of arbitrary code.

Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#707943. US-CERT encourages users and administrators to review the vulnerability note and consider implementing the following workarounds until fixes are released by affected vendors
  • disable loading libraries from WebDAV and remote network shares
  • disable the WebClient service
  • block outgoing SMB traffic
Update: Microsoft has released Fix it tool 50522 to assist users in setting the registry key value introduced with Microsoft support article 2264107 to help reduce the risks posed by the DLL loading behavior described in VU#707943. Users and administrators are encouraged to review Microsoft support article 2264107, the Microsoft Security Research & Defense TechNet blog entry, and to consider using the Fix it tool to help reduce the risks. Users should be aware that setting the registry key value as described in the support article or via the Fix it tool may reduce the functionality of some third-party applications.

MS Fix Shores Up Security for Windows Users — Krebs on Security
Microsoft has released a point-and-click tool to help protect Windows users from a broad category of security threats that stem from a mix of insecure default behaviors in Windows and poorly written third-party applications.

My explanation of the reason that this is a big deal may seem a bit geeky and esoteric, but it’s a good idea for people to have a basic understanding of the threat because a number of examples of how to exploit the situation have already been posted online.  Readers who’d prefer to skip the diagnosis and go straight to the treatment can click here.

... vulnerable apps include Windows Live Mail, Windows Movie Maker, Microsoft Office Powerpoint 2007, Skype, Opera, Mediaplayer Classic and uTorrent, to name just a few.

No comments: