14 DAY TRIAL // A new Security Advisory released by Microsoft is designed to help customers fend off eventual DLL preloading attacks.
However, Microsoft Security Advisory 2269637 is in no way designed to address vulnerabilities in the Redmond company’s products.
The software giant explained that the advisory is simply a response to recent research made public detailing a new vector of attack for vulnerabilities associated with DLL preloading or "binary planting" attacks.
Although such vulnerabilities are nothing new, it was previously though that they could not be exploited remotely. This is no longer the case, as recent research indicated, pointing out that a remote attack vector does exist.
“The attack focuses on tricking an application into loading a malicious library when it thinks it's loading a trusted library,” revealed Christopher Budd, senior security response communications manager, Microsoft.
“For this to succeed, the application has to call the trusted library by name instead of properly using its full path (for example, calling dllname.dll rather than C:\Program Files\Common Files\Contoso\dllname.dll)".
“The attacker then has to place a malicious copy of the library in a directory that the system will search to locate the library and have that be a directory it will search before the directory where the trusted library actually is.”
Provided that a potential attacker is managed to introduce a malicious copy of dllname.dll in the working directory, it will be loaded by the app. In such a context, the malicious code would automatically be executed first.
Security researchers have now discovered a way for attackers to plant malicious libraries on a network share and take advantage of the vulnerability.
“The attacker would create a data file that the vulnerable application would open, create a malicious library that the vulnerable application would use, post both of them on a network share that the user could access, and convince the user to open the data file,” Budd said.
“At that point, the application would load the malicious library and the attacker's code would execute on the user's system.”
Customers need to read Microsoft Security Advisory (2269637) as the software giant provides extensive information on the new threat associated with Insecure Library Loading vulnerabilities.
At the same time, the Redmond company is also detailing the steps that customers need to take in order to make sure that their systems are bulletproofed against these types of attacks under the Mitigating Factors and Suggested Actions section of the advisory.
“Today we are providing a defense-in-depth update that customers can deploy that will help protect against attempts to exploit vulnerable applications through this newly identified vector,” Budd said.