Security Watch

Holed Up in the Library

A flaw with curious name, "binary planting," grows out of iTunes on Windows. There's a workaround for that.

Microsoft has released a new security advisory on a vulnerability in the Windows operating system's dynamic link library (DLL). A DLL is Redmond's shared library concept for most of its more prominent iterations of the Windows OS. Redmond said the issue is caused by "specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks."

These practices, according to the security advisory, could "allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location."

The flaw was first uncovered last Thursday by Acros, a security firm in Slovenia, which published an advisory identifying what it called "binary planting" flaw in iTunes. What does iTunes have to do with Windows? Well, when a user opens a media file like one from iTunes using a remote network share, iTunes will naturally attempt to load additional DLLs during the file-loading process.

In this context, according to experts such as H.D. Moore of Rapid 7, the first U.S.-based researcher to make the discovery, and Andrew Storms, director of security at nCircle, a malicious DLL file can ride on in unnoticed and a hacker can then execute code changes remotely.

"The big question of the day doesn't concern third-party application developers that didn't follow Microsoft's programming advice and so are vulnerable to this category of attack," said Storms. "The big question is, which of Microsoft's own products are vulnerable? Microsoft information so far is still skirting this important question."

A consensus among security experts is that the best mitigation, other than to wait and see what Microsoft says in its advisory (which should be released anytime this week), is to block Windows Server Message Block (SMB) at the perimeter and disable Web client service.

Exploit research expert H.D. Moore gave more background on Sunday about how the hack actually goes down, through his proofs of concept outlined in this blog post.

Also, in February, Taeho Kwon and Zhendong Su at The University of California at Davis, published "Automatic Detection of Vulnerable Dynamic Component Loadings," a scholarly look at the subject .

Kwon and Su's work is significant as Kwon told Computerworld this week that he didn't think Microsoft intended to patch the issue, but instead would fix the problem in upcoming Windows OS and Microsoft Office service packs.

For its part, Microsoft said it is investigating whether any of its own applications are affected by insecure library loading vulnerabilities and will "take appropriate action to protect its customers." These "appropriate actions," of course, could include more detailed workarounds, updates in new service packs or even a reversal of the stance on not patching this issue.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus