Executive Summary
Summary | |
---|---|
Title | Insecure Library Loading Could Allow Remote Code Execution |
Informations | |||
---|---|---|---|
Name | KB2269637 | First vendor Publication | 2010-08-23 |
Vendor | Microsoft | Last vendor Modification | 2012-11-13 |
Severity (Vendor) | N/A | Revision | 18. |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries. This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected. In addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems. Mitigating Factors: Updates relating to Insecure Library Loading: Update released on November 9, 2010 Updates released on December 14, 2010 Update released on January 11, 2011 Update released on February 8, 2011 Updates released on March 8, 2011 Updates released on April 12, 2011 Updates released on July 12, 2011 Developers can help to ensure their programs load DLLs properly to avoid "DLL preloading" or "binary planting" attacks by following the guidance provided in Microsoft Knowledge Base Article 2533623 to take advantage of the API enhancements provided by this update. Update released on August 9, 2011 Updates released on September 13, 2011 Updates released on October 11, 2011 Update released on November 8, 2011 Updates released on December 13, 2011 Updates released on February 14, 2012 Update released on March 13, 2012 Update released on June 12, 2012 Update released on July 10, 2012 Update released on November 13, 2012 Microsoft is investigating whether any of its own applications are affected by insecure library loading vulnerabilities and will take appropriate action to protect its customers. Where can developers find guidance on how to avoid this issue? Microsoft has also published the MSDN article, Dynamic-Link Library Security, which describes the various Application Programming Interfaces (APIs) available on Windows that allow developers to correctly and securely load external libraries. Microsoft is working with developers through the Microsoft Vulnerability Research Program to share information with them on how to prevent this vulnerability in their products. Software vendors and ISVs that have questions on the mitigations available in Windows for this issue are invited to contact msvr@microsoft.com for additional mitigation information. What is the scope of the issue? What causes this threat? Some Application Programming Interfaces (API), such as SearchPath, use a search order that is intended for documents and not application libraries. Applications that use this API may try to load the library from the Current Working Directory (CWD), which may be controlled by an attacker. Other APIs may also lead to similar behavior, when used in specific ways described in the MSDN article, Dynamic-Link Library Security. In the case of network shares, such as WebDAV or SMB, an attacker who can write to this location could upload a specially crafted library. In this scenario, the application attempts to load the specially crafted library, which can then execute arbitrary code on the client system in the security context of the logged-on user. What might an attacker use this vulnerability to do? In some cases, an attacker who already has access to a local folder on the system could use a DLL preloading vulnerability in a local application running with elevated privileges to elevate his access to the system. How could an attacker exploit this vulnerability? What are the remote attack vectors for this vulnerability? Is this a security vulnerability that requires Microsoft to issue a security update? Microsoft is also investigating whether any of its own applications are affected by DLL preloading vulnerabilities and will take appropriate action to protect its customers. What is a Dynamic Link Library (DLL)? By using a DLL, a program can be modularized into separate components. For example, an accounting program may be sold by module. Each module can be loaded into the main program at run time if that module is installed. Because the modules are separate, the load time of the program is faster, and a module is only loaded when that functionality is requested. What is Web-based Distributed Authoring and Versioning (WebDAV)? What is Microsoft Server Message Block (SMB) protocol? Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of this issue. The following mitigating factors may be helpful in your situation: Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality: Note See Microsoft Knowledge Base Article 2264107 to deploy a workaround tool that allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis. Customers who are informed by their vendor of an application being vulnerable can use this tool to help protect against attempts to exploit this issue. Note See Microsoft Knowledge Base Article 2264107 to use the automated Microsoft Fix it solution to deploy the registry key to block loading of libraries for SMB and WebDAV shares. Note that this Fix it solution does require you to install the workaround tool also described in Microsoft Knowledge Base Article 2264107 first. This Fix it solution only deploys the registry key and requires the workaround tool in order to be effective. We recommend that administrators review the KB article closely prior to deploying this Fix it solution. Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet. To disable the WebClient Service, follow these steps: Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer. How to undo the workaround. To re-enable the WebClient Service, follow these steps: These ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see the TechNet article, TCP and UDP Port Assignments. Impact of workaround. Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below: How to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments. Third-party vendors may release updates that address insecure library loading in their products. Microsoft recommends that customers contact their vendor if they have any questions whether or not a specific application is affected by this issue, and monitor for security updates released by these vendors. We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer. For more information about staying safe on the Internet, visit Microsoft Security Central. All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2269637.mspx |
Alert History
Date | Informations |
---|---|
2014-02-17 11:38:37 |
|
2013-12-14 21:19:30 |
|
2013-02-06 19:08:06 |
|
2012-11-13 21:20:48 |
|