Microsoft has said that it is ‘conducting a thorough investigation' into the Dynamic-Link Library (DLL) preloading vulnerability.
As detailed yesterday, the problem exists when a program needs to dynamically load a library to extend its functionality, and if an attacker can control the library that is loaded they can load their own malicious code.
Christopher Budd, senior security response communications manager at Microsoft, said that an advisory, listed as 2269637, has been produced and it is currently conducting a thorough investigation into how this new vector may affect Microsoft products. “As always, if we find this issue affects any of our products, we will address them appropriately,” he said.
“What this new research demonstrates is a new remote vector for DLL preloading attacks. These attacks are not new or unique to the Windows platform. For instance, PATH attacks that are similar to this issue constitute some of the earliest class of attacks against the Unix operating system.
“PATH or DLL preloading attacks have so far required the attacker to plant the malicious library on the local client system. This new research outlines a way an attacker could levy these attacks by planting the malicious library on a network share. In this scenario, the attacker would create a data file that the vulnerable application would open, create a malicious library that the vulnerable application would use, post both of them on a network share that the user could access, and convince the user to open the data file. At that point, the application would load the malicious library and the attacker's code would execute on the user's system.”
A ‘defence-in-depth' update has been published for customers to deploy that will help protect against attempts to exploit vulnerable applications through this newly identified vector.
Budd said: “While the best protection is following best practices, we are able to provide an additional layer of defence by offering a tool that can be configured to disable the loading of libraries from network shares.
“In particular, because this is altering functionality, we encourage customers to evaluate this tool before deploying it. As part of your evaluation, we encourage you to review the information at the (SRD) blog.
“We are using our strong connections with researchers and partners in the industry to help address this new class of vulnerability. Our Microsoft Vulnerability Research program has been working to coordinate communication between the researcher who first brought this new vector to us and other application developers who are affected by this issue.”