Security Watch

Holed Up in the Library

A flaw with curious name, "binary planting," grows out of iTunes on Windows. There's a workaround for that.

• By Jabulani Leffall
• 08/23/2010

Microsoft has released a new security advisory on a vulnerability in the Windows operating system's dynamic link library (DLL). A DLL is Redmond's shared library concept for most of its more prominent iterations of the Windows OS. Redmond said the issue is caused by "specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks."

These practices, according to the security advisory, could "allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location."

The flaw was first uncovered last Thursday by Acros, a security firm in Slovenia, which published an advisory identifying what it called "binary planting" flaw in iTunes. What does iTunes have to do with Windows? Well, when a user opens a media file like one from iTunes using a remote network share, iTunes will naturally attempt to load additional DLLs during the file-loading process.

In this context, according to experts such as H.D. Moore of Rapid 7, the first U.S.-based researcher to make the discovery, and Andrew Storms, director of security at nCircle, a malicious DLL file can ride on in unnoticed and a hacker can then execute code changes remotely.

"The big question of the day doesn't concern third-party application developers that didn't follow Microsoft's programming advice and so are vulnerable to this category of attack," said Storms. "The big question is, which of Microsoft's own products are vulnerable? Microsoft information so far is still skirting this important question."

A consensus among security experts is that the best mitigation, other than to wait and see what Microsoft says in its advisory (which should be released anytime this week), is to block Windows Server Message Block (SMB) at the perimeter and disable Web client service.

Exploit research expert H.D. Moore gave more background on Sunday about how the hack actually goes down, through his proofs of concept outlined in this blog post.

Also, in February, Taeho Kwon and Zhendong Su at The University of California at Davis, published "Automatic Detection of Vulnerable Dynamic Component Loadings," a scholarly look at the subject .

Kwon and Su's work is significant as Kwon told Computerworld this week that he didn't think Microsoft intended to patch the issue, but instead would fix the problem in upcoming Windows OS and Microsoft Office service packs.

For its part, Microsoft said it is investigating whether any of its own applications are affected by insecure library loading vulnerabilities and will "take appropriate action to protect its customers." These "appropriate actions," of course, could include more detailed workarounds, updates in new service packs or even a reversal of the stance on not patching this issue.