A flaw in the way Windows handles DLL (dynamic-link library) and related files likely affects hundreds of applications and has already been used in malicious attacks in the wild, a security researcher said on Tuesday.
Microsoft acknowledged in an advisory on Monday a type of attack mechanism known as DLL preloading, or binary planting and said that while it is not new it does have a new remote-attack vector. Malicious code can now be planted on a network share instead of just on a local system, making it much easier to attack vulnerable systems by duping people into clicking on malicious Web links or opening malicious documents.
Security firm Acros disclosed the issue last week after finding that it affects iTunes, and Rapid7 Chief Technology Officer HD Moore published additional information about it this week here and here. Moore, creator of the Metasploit database and framework, also released a tool to test whether applications are vulnerable.
Now, the Exploit-db.com exploit database is getting flooded with submissions of applications that people say are vulnerable, including Windows Live Mail, Windows Movie Maker, Microsoft PowerPoint 2010, Office 2007, and non-Microsoft applications like Firefox 3.6.8, Foxit Reader, Wireshark and uTorrent, said Mati Aharoni, founder of security firm Offensive Security, which runs the exploit database.
A post to the Full Disclosure mailing list claims that the Windows Address Book in Windows XP is also vulnerable.
"Today we broke a record in the Exploit-db with the amount of exploits for various Windows applications submitted in one day...all based on the same vulnerability," Aharoni said. "Right now it's in the dozens," he said, but he expects there will be hundreds of vulnerable applications reported before too long.
Meanwhile, researchers have seen a few malicious attacks using the vulnerability in the wild, he said.
"I would say this is a core Windows problem," Aharoni said. "But to fix this you have to change the way Windows loads DLL's altogether, which would be very, very difficult and will no doubt result in a lot of applications breaking"
Microsoft has released a tool that allows system administrators to mitigate the risk from the vulnerability.
"Currently we are analyzing our own applications to identify any that are affected by this new remote vector. As a result, we will take appropriate actions to protect customers which may include releasing security advisories with mitigations and workarounds and security updates to address the issue," said Jerry Bryant, group manager for response communication at Microsoft.
"At this time, we encourage customers to review and apply the guidance in Security Advisory 2269637," he said in an e-mail response to questions. "Also, it should be noted that DLL planting requires significant user interaction and cannot be exploited by simply browsing to a web page. An attacker would have to convince a user to click a link to their SMB (Server Message Block) or WebDAV (Web-based Distributed Authoring and Versioning) share and then convince the user to open a file from that share which would trigger additional dialogs prompting the user to OK the action."
Moore's advice to people running affected systems is "Don't open (Web) links from strangers or network share links from strangers."
McAfee researcher Adam Wosotowsky provided CNET with this assessment of the situation:
"Your windows install has hundreds if not thousands of *.DLL files on it. Each one contains a bunch of function calls that can be used by anything else that loads that DLL at runtime. One DLL can reference another DLL, so that a series of DLL files will be loaded. There isn't much in the way of inherent version checking in DLL files, which means that the piece of shareware that you downloaded yesterday will probably still function after you've upgraded your DLL files today.
"Now, as a hacker I can take over your computer if I can gain enough access and permissions to replace a DLL file. All I need to do is add a bit of code to that process which sends the data I want somewhere else and then call the original function that is in a DLL that I renamed."