Microsoft releases mitigating tool for latest 0-day bug
HD Moore, CSO at Rapid7 and creator of Metasploit, revealed last week that some 40 Windows applications are affected by a critical vulnerability that can allow attackers to execute malicious code remotely and infect the computers with malware.
He refused to reveal specific details about the flaw, and over the next few days there were reports that over 200 programs might be affected. Whatever the final number may turn out to be, Microsoft decided to get a grip on the matter and published a security advisory about it, in order to make known that it is investigating whether any of its own applications are affected by vulnerability, and explain what this flaw can do.
The vulnerability affects how applications load external libraries. “When an application dynamically loads a dynamic-link library without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories in a particular order,” says in the Dynamic-Link Library Security article published by MSDN a couple of days ago.
“If an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory. This is sometimes called a DLL preloading attack or a binary planting attack. If the system does not find a legitimate copy of the DLL before it searches the compromised directory, it loads the malicious DLL. If the application is running with administrator privileges, the attacker may succeed in local privilege elevation.”
Microsoft is especially set on making clear that the vulnerability is actually not in Windows, and it exists in applications whose developers have not followed Microsoft’s advice on secure and correct use of available application programming interfaces. The company has yet to confirm that their own programmers have been thoroughly following this advice.
Microsoft is also actively getting in touch with these third-party developers in order to inform them of available mitigations for the vulnerability, and has also released a tool that allows system administrators to mitigate the risk by altering the library loading behavior system-wide or for specific applications.