Microsoft warns of DLL vulnerability in applications

hullboy · August 24, 2010, 6:11pm

A security advisory from Microsoft warns of a widespread programming error which can result in applications executing malicious code in specially crafted DLL files when, for example, a user opens an image on a network drive. Under certain circumstances the installed application could subsequently load libraries containing malicious code from this network directory.
Following the discovery of the problem behaviour in iTunes by security services provider Acros, Metasploit developer HD Moore found approximately 40 other applications affected by the issue. According to Thierry Zoller, the affected programs include Photoshop. Apple has fixed the problem in version 9.2.1 of iTunes, but it’s unclear which other applications remain vulnerable.

To protect against the problem, Microsoft recommends terminating the WebDAV service and using a firewall to block outbound SMB connections. The company has also released a tool which can be used to adjust search behaviour when loading libraries via registry entries. A post on Microsoft’s TechNet Security Research & Defense blog details the individual registry key values.

This attack scenario is not entirely novel – the NSA warned of the problem of “DLL spoofing” in its “Windows NT Security Guidelines” 12 years ago. In addition, Microsoft has been telling developers how to load libraries correctly for some time. Clearly, however, many applications are failing to adhere to these guidelines. It seems doubtful that a patch to shut down this problem once and for all will be produced. Microsoft has stated that it’s impossible to fix the issue directly in Windows, as this would result in documented functionality no longer working as expected.

Source: h**p://www.h-online.com/security/news/item/Microsoft-warns-of-DLL-vulnerability-in-applications-1064584.html

How can COMODO block these “outbound SMB connections”? ???

brucine · August 24, 2010, 8:24pm

On Windows side and as far as XP is concerned, and altough i am not absolutely affirmative with that (i am a relatively new xp user and ran 2k not so long ago),the webdav server side is offered by IIS (meaning, if i make no mistake, it is only available for xp pro), while the webdav client depends of the standard windows webclient service.

It is there enough, without even speaking of cis, to disable both IIS/Terminal Server and webclient if you don’t need them, either directly from windows services, either by a specific utility (i am thinking of XPLite).

I don’t run myself any Webdav application, and i am not sure it would be intercepted by cis (excepting monitoring protocols other then tcp/ip) since Webdav (like a lot of java applications, same threat) directly runs on your http port 80.

Still from my (low) knowledge of this situation, this would probably keep Webdav from standard windows redirection, but also probably not third-party applications to execute dav contents, altough, for doing so, they would need to connect on port 80 that you could (and should) set cis to intercept:
there’s no reason, despite what i am often reading in these same forums, to allow even anything outbound if it does not have to, and each and any internet connection should be monitored.

Now, for accessing a dav library on the web, the folder needs to be shared, and that is where smb comes into action: no smb, no sharing, but xp uses for this not only the standard “netbios ports” (by extension with rpc, 135-139, that should be closed on the wan by every sensed person), but also port 445, somewhat less easy to close.
Please refer, in this regard, to:
http://www.petri.co.il/whats_port_445_in_w2k_xp_2003.htm

hullboy · August 24, 2010, 8:31pm

I think I understand, so, that a “normal” and “average” user using his Home PC for “normal” Internet navigation is not interested at all :-TU

brucine · August 24, 2010, 8:37pm

Not quite: the “average xp home user” does not close unneeded/nefarious windows services, and still less netbios and 445 ports, whereas it is the first thing he should ever do before even installing the firewal of his choice.

jebuchanan · August 24, 2010, 11:22pm

Zero-day Windows bug problem worse than first thought, says expert

My response to this issue.

jebuchanan · August 24, 2010, 11:59pm

as a follow-up, Microsoft Security Advisory (2269637)

MrBrian · August 25, 2010, 1:07am

Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.
This issue is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.

jebuchanan · August 25, 2010, 1:56am

Another follow-up:

Windows DLL load hijacking exploits go wild

darthfirefox · August 25, 2010, 7:44am

Wasn’t this nipped in the ■■■■ by the big M and other apps like Hit-man Pro?
Or is this a completely different thing?

rhgtyink · August 25, 2010, 8:27am

Counter measures against these:

Read this article, download the appropriate patch and use the Reg setting to disable the WebDAV issue.
http://support.microsoft.com/kb/2264107

Next make sure you block Outgoing TCP traffic TO TCP ports 139 and 445, your normal every day application does not need them, only if you have a local LAN with a “server” that shares something, but not going out to the “internet”…

jebuchanan · August 25, 2010, 10:10pm

MicroSoft’s current answer to this issue:

http://support.microsoft.com/kb/2264107

languy99 · August 26, 2010, 2:37am

I found an unofficial list of programs that have been found to be vulnurable. Check it out Avast is the only AV that is vulnerable, that sucks for them http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/

MrBrian · August 26, 2010, 2:53am

CIS can be used to block this class of vulnerabilities without numerous alerts. See my guide on using CIS as an anti-executable for details - https://forums.comodo.com/guides-cis/using-comodo-internet-security-as-an-antiexecutable-t60303.0.html.

I’ve verified that the proof-of-concept for VLC Media Player works. Also, Comodo Internet Security, when used as an anti-executable with the DLL interception option, blocks the DLL. The message box below appears if and only if the DLL is loaded.

[attachment deleted by admin]

ssj100 · August 26, 2010, 8:13am

If anyone has any POC’s of this potential malware vector, I’d appreciate a sample. Thanks.

rhgtyink · August 26, 2010, 3:49pm

PM send

Mr.Henky · August 27, 2010, 2:26pm

Can D+ protect system from this kind of attack?

MrBrian · August 27, 2010, 10:45pm

Yes. Please see my previous post in this thread.

Dch48 · August 28, 2010, 2:36am

From everything I’ve read about this, the chances of an end user being adversely affected are extremely slim. I’m not worried at all.

begemot · August 28, 2010, 8:34am

You should be worried, since there are active exploits already in the wild (and being written for almost all exploitable programs), and Comodo does not protect from them in both default and proactive configuration.

Mr Brian’s method works, but how many Comodo users run his config? Virtually none.

CIS 5 offers no protections what so ever, since Mr Brian’s method won’t work.

Dch48 · August 29, 2010, 8:32pm

The “exploits” all require you to download a file or go to a special website in order to be affected. Even an average user is unlikely to get infected. This is blown way out of proportion, which isn’t unusual.