Monday, September 13, 2010

Windows DLL vulnerability: Bad Mojo

On August 23rd Microsoft released Microsoft Security Advisory (2269637): Insecure Library Loading Could Allow Remote Code Execution. It seems that if a program doesn't properly specify the path for a Dynamic-Link Library (DLL) an attacker can create a bogus DLL that will be loaded instead when a program tries to load the DLL. That DLL can contain code to install software, delete files, or do anything the user can do - or the program calling the DLL can do, if it has greater priveleges than the user.

What makes this bad mojo? This attack works over the network, so it can be performed by making a file available online that will cause a program on your computer to launch and call the bogus DLL. The attacker doesn't actually have to put anything on your machine, he only has to get you to open a remote file and if you are logged into your computer as an administrator (most home users and many small business users are) your computer is no longer yours.

This exploit works over networking protocols. The advisory specifically names WebDAV and SMB, but it will probably work over NFS (Suns Network File System) and AFP (Apple File Protocol) and maybe FTP as well. 

Microsoft is providing workarounds to negate the problem, but is relying on the software companies to supply patches to their software to solve this problem. If Microsoft were to patch this issue on the operating system lot of programs would break, so at the time I write this they are not going to issue a patch. Here are the workarounds Microsoft is offering:

Mitigating Factors and Suggested Actions

Mitigating Factors

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of this issue. The following mitigating factors may be helpful in your situation:

This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers that recommend alternate methods to load libraries that are safe against these attacks.

For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.


Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Disable loading of libraries from WebDAV and remote network shares

Note This workaround requires installation of the tool described in Microsoft Knowledge Base Article 2264107.

Microsoft has released a tool which allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis.

Customers who are informed by their vendor of an application being vulnerable can use this tool to help protect against attempts to exploit this issue.

Disable the WebClient service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

To disable the WebClient Service, follow these steps:


Click Start, click Run, type Services.msc and then click OK.


Right-click WebClient service and select Properties.


Change the Startup type to Disabled. If the service is running, click Stop.


Click OK and exit the management application.

Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

How to undo the workaround.

To re-enable the WebClient Service, follow these steps:


Click Start, click Run, type Services.msc and then click OK.


Right-click WebClient service and select Properties.


Change the Startup type to Automatic. If the service is not running, click Start.


Click OK and exit the management application.

Block TCP ports 139 and 445 at the firewall

These ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see the TechNet article, TCP and UDP Port Assignments.

Impact of workaround. Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:

Applications that use SMB (CIFS)

Applications that use mailslots or named pipes (RPC over SMB)

Server (File and Print Sharing)

Group Policy

Net Logon

Distributed File System (DFS)

Terminal Server Licensing

Print Spooler

Computer Browser

Remote Procedure Call Locator

Fax Service

Indexing Service

Performance Logs and Alerts

Systems Management Server

License Logging Service

How to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments.

Additional Suggested Actions

Install updates from third-party vendors that address insecure library loading

Third-party vendors may release updates that address insecure library loading in their products. Microsoft recommends that customers contact their vendor if they have any questions whether or not a specific application is affected by this issue, and monitor for security updates released by these vendors.

Protect Your Computer

We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.

For more information about staying safe on the Internet, visit Microsoft Security Central.

Keep Windows updated

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

I hope you find this information helpful. Remember to be careful what you click on.