Details Of Windows Binary Planting Bug Revealed

The fallout from the binary planting vulnerabilities plaguing scores of programs running on Windows continued today as more names of susceptible applications became public and the number of exploits exploded.

Belgian security site Corelan.be listed dozens of vulnerable applications, including several Microsoft programs. Among them are Microsoft Word 2007, Microsoft Office PowerPoint 2010 and Microsoft Office Visio 2003.

VUPEN Security also published a list of vulnerable applications that featured programs such as Mozilla Firefox and Adobe Photoshop.

“Thus far, we have not observed any in-the-wild attacks leveraging this new attack vector, but we have heard some reports of limited exploitation,” said Marc Fossi, manager of research and development for Symantec Security Response. “This doesn’t come as a surprise, however, since exploit code for some applications affected by this issue is now public.”

Vulnerable Applications

During the week of 16 Aug, researchers at Acros Security said they had found more than 200 applications vulnerable to the bugs. Rapid7 Chief Security Officer HD Moore also said at the time he had found dozens of vulnerable applications on his own as well. Moore recently updated an auditing tool he developed to identify vulnerable applications on a local machine more quickly.

According to Microsoft, binary planting bugs are caused by applications passing an insufficiently qualified path when loading an external library. Most of the bugs Acros Security found—which totaled 520—were DLL (dynamic link library) file loading issues, while the rest were due to insecure loading of executables such as .exe and .com files.

To exploit the issue, attackers need to trick users into opening a file using a vulnerable program. “When the application loads one of its required or optional libraries, the vulnerable application may attempt to load the library from the remote network location,” Microsoft explained in an advisory released on 23 Aug. “If the attacker provides a specially crafted library at this location, the attacker may succeed at executing arbitrary code on the user’s machine.” Remote binary planting bugs “can be exploited over network file systems such as … WebDAV and SMB.”

.DLL Files

Microsoft has issued some guidance to help developers working with .DLL files avoid the vulnerabilities as well as a tool “that helps customers address the risk of the remote attack vendor through a per-application and global configuration setting.”

To mitigate the issue, organisations can also disable the WebClient service or block TCP ports 139 and 445 at the firewall, Microsoft advised.

Actually fixing the affected applications does not appear to be overly difficult, Fossi said. “However, the challenge is in the number of applications out there, especially older programs, that are potentially vulnerable,” he added. “Simply raising awareness among application developers is going to be a major hurdle. … According to Microsoft, directly addressing this issue in Windows will result in the loss of some expected functionality. As a result, they are recommending that the onus be on application developers to fix it. However, we encourage Microsoft to continue to look at ways to address this issue from a higher level.”