Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
Published: August 23, 2010
Executive Summary
Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.This issue is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.
This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://blogs.technet.com/b/msrc/archive/2010/08/21/microsoft-security-advisory-2269637-released.aspx
Metasploit’s HD Moore
Last Thursday, Acros, a Slovenian security firm, published an advisory that identified what they call a “binary planting” flaw in iTunes. Essentially, if you open a file type associated with iTunes from a remote network share, iTunes will also try to load one more DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.
While working on the Windows Shortcut exploit, I stumbled on this class of bugs and identified a couple dozen applications that seemed to be affected by this problem. iTunes was one of these applications and the details in the Acros advisory made it clear that this was indeed the same flaw. I was planning to finish the advisories and start contacting vendors on August 20th (last Friday). The Acros advisory on the 18th threw a wrench into this process.
Read the rest here: http://blog.rapid7.com/?author=20
