Current Activity - Insecure Loading of Dynamic Link Libraries in Windows Applications

[Current Activity <us-cert () us-cert gov>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

Insecure Loading of Dynamic Link Libraries in Windows Applications

Original release date: August 25, 2010 at 12:01 pm
Last revised: September 16, 2010 at 8:49 am


US-CERT is aware of a class of vulnerabilities related to how some
Windows applications may load external dynamic link libraries (DLLs).
When an application loads a DLL without specifying a fully qualified
path name, Windows will attempt to locate the DLL by searching a
defined set of directories. If an application does not securely load
DLL files, an attacker may be able to cause the affected application
to load an arbitrary library.

By convincing a user to open a file from a location that is under an
attacker's control, such as a USB drive or network share, a remote
attacker may be able to exploit this vulnerability. Exploitation of
this vulnerability may result in the execution of arbitrary code.
Additional information regarding this vulnerability can be found in
US-CERT Vulnerability Note VU#707943. US-CERT encourages users and
administrators to review the vulnerability note and consider
implementing the following workarounds until fixes are released by
affected vendors:
  * disable loading libraries from WebDAV and remote network shares
  * disable the WebClient service
  * block outgoing SMB traffic

Update 9/16/2010: Apple has released QuickTime 7.6.8 to address the
DLL issue in earlier versions of Quicktime for Windows. Users and
administrators are encouraged to review Apple article HT4339 and
update to QuickTime 7.6.8 to help mitigate the risks.

Update 09/10/10: Research In Motion has released security advisory
KB24242 to address the DLL issue in its BlackBerry Desktop Software
for Windows version 6.0.  This issue impacts all versions of the
BlackBerry Desktop Software and may allow an attacker to convince the
user to execute arbitrary code. Users and administrators are
encouraged to review BlackBerry security advisory KB24242 and update
to version 6.0.0.47 to help mitigate the risks.
Update 09/01/10: Microsoft has released Fix it tool 50522 to assist
users in setting the registry key value introduced with Microsoft
support article 2264107 to help reduce the risks posed by the DLL
loading behavior described in VU#707943. Users and administrators are
encouraged to review Microsoft support article 2264107 and the
Microsoft Security Research & Defense TechNet blog entry, and to
consider using the Fix it tool to help reduce the risks. Users should
be aware that setting the registry key value as described in the
support article or via the Fix it tool may reduce the functionality of
some third-party applications.
US-CERT will provide updates when additional details become available.

Relevant Url(s):
<http://support.apple.com/kb/HT4339>

<http://www.kb.cert.org/vuls/id/707943>

<http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB24242>

<http://blogs.technet.com/b/srd/archive/2010/08/31/an-update-on-the-dll-preloading-remote-attack-vector.aspx>

<http://support.microsoft.com/kb/2264107>

====
This entry is available at
http://www.us-cert.gov/current/index.html#insecure_loading_of_dynamic_link

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTJIdgj6pPKYJORa3AQK2mwf/WL35yTWas3c6O2wTXid/suXdrK9Oljos
WGz41w5KadtVpGVwLc49XyxaqxzTZCCR9HRa8fwQ2MI48KFqemidS+o7q/6JNE86
3KoIRNBCc2jkIxnQfFDixsHweu1UYORmFajAFXFqHbpotPJjISiornn44MRoqSZN
BHZUgIvjtrlZm2BuxgCEF+siZpZ6ehzL4V6egLfi5dZUpmOuNh6sQX/q6S2p8Zt4
uH8xvOP9g62BsdbXpPg3PbmPs+3Olx1gntKFfTAVPfhTU/1dDz19wHoaZ+mdA2re
REfiIvn/OTG8GUeOmX5+A5LeACHr5fVdPkSXpEli4xSH1lld0vNTsg==
=epH3
-----END PGP SIGNATURE-----