Microsoft issued an advisory on Monday about a security issue that could leave many Windows applications vulnerable to attack.
The advisory deals with a type of attack mechanism known as DLL preloading, or binary planting. Although the attack mechanism is not new or entirely unique to Windows, Microsoft acknowledged that there appears to be a new remote-attack vector that could allow more systems to be attacked quickly.
Two researchers at the University of California at Davis published a paper earlier this year on how programs that were vulnerable could be automatically detected. In recent days, security expert and Metasploit creator HD Moore published more information about this issue and is adding the vulnerability to his Metasploit program.
Moore said he did so in an effort to both make customers aware and encourage vendors to patch their applications, and he noted that he opted not to publicly list all the affected programs, though he did release a tool that helps users uncover which of their software could be vulnerable.
"As a compromise between releasing the full list of affected products and not saying anything at all, I decided to push a generic exploit module to the Metasploit Framework and release an audit kit that can be used to identify affected applications on a particular system," Moore said in a blog post." The audit kit should make it easier for other folks to identify vulnerable applications and hopefully have them addressed by the vendor."
The existence of such proof-of-concept code makes it likely that an attack could appear in the wild soon, according to Joshua Talbot, a senior intelligence manager for Symantec security response. "Attackers then look at that and try to adapt it for their own uses," he said.
Last Thursday, security research firm Acros Security warned that iTunes was vulnerable to such an attack. However, Moore and others point out that the vulnerability appears to affect far more than just iTunes, with potentially dozens of Windows programs similarly open to attack.
In the past, such attacks have required a malicious library to be implanted onto a local system. However, new research shows how the malicious code could also be planted on a network share, potentially making it much easier to attack vulnerable systems.
In its advisory on Monday, Microsoft said it has also issued guidance to developers on how to avoid the vulnerability and that it is checking its own code to see if any Microsoft products are at risk.
"We are currently conducting a thorough investigation into how this new vector may affect Microsoft products," Microsoft said in a blog post.
Microsoft said it has also released a software tool that "allows system administrators to mitigate the risk of the vulnerability in question by altering the library-loading behavior for the operating system or for specific applications."
Attacks using such libraries have been growing, as Windows and other operating systems have become more hardened to attacks that exploit memory corruption flaws, Talbot said.
Talbot recommended that users look at a mitigation suggested by Microsoft that involves changing a registry key setting so that libraries cannot be loaded over a network. Talbot also suggested that users take other steps, such as being cautious when clicking links or visiting unknown sites and also to make sure that their antivirus software is up-to-date.
Current antivirus software won't necessarily stop a vulnerability from being exploited, Talbot said, but the software can sometimes detect the payloads that an attacker might try to install on a vulnerable system.
Update, 4:40 p.m. PDT: Added comment from Symantec official and from HD Moore's blog post.