A security advisory from Microsoft warns of a widespread programming error which can result in applications executing malicious code in specially crafted DLL files when, for example, a user opens an image on a network drive. Under certain circumstances the installed application could subsequently load libraries containing malicious code from this network directory.
Following the discovery of the problem behaviour in iTunes by security services provider Acros, Metasploit developer HD Moore found approximately 40 other applications affected by the issue. According to Thierry Zoller, the affected programs include Photoshop. Apple has fixed the problem in version 9.2.1 of iTunes, but it’s unclear which other applications remain vulnerable.
To protect against the problem, Microsoft recommends terminating the WebDAV service and using a firewall to block outbound SMB connections. The company has also released a tool which can be used to adjust search behaviour when loading libraries via registry entries. A post on Microsoft’s TechNet Security Research & Defense blog details the individual registry key values.
This attack scenario is not entirely novel – the NSA warned of the problem of “DLL spoofing” in its “Windows NT Security Guidelines” 12 years ago. In addition, Microsoft has been telling developers how to load libraries correctly for some time. Clearly, however, many applications are failing to adhere to these guidelines. It seems doubtful that a patch to shut down this problem once and for all will be produced. Microsoft has stated that it’s impossible to fix the issue directly in Windows, as this would result in documented functionality no longer working as expected.
How can COMODO block these “outbound SMB connections”? ???