Security Watch

Holed Up in the Library

A flaw with curious name, "binary planting," grows out of iTunes on Windows. There's a workaround for that.

Microsoft has released a new security advisory on a vulnerability in the Windows operating system's dynamic link library (DLL). A DLL is Redmond's shared library concept for most of its more prominent iterations of the Windows OS. Redmond said the issue is caused by "specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks."

These practices, according to the security advisory, could "allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location."

The flaw was first uncovered last Thursday by Acros, a security firm in Slovenia, which published an advisory identifying what it called "binary planting" flaw in iTunes. What does iTunes have to do with Windows? Well, when a user opens a media file like one from iTunes using a remote network share, iTunes will naturally attempt to load additional DLLs during the file-loading process.

In this context, according to experts such as H.D. Moore of Rapid 7, the first U.S.-based researcher to make the discovery, and Andrew Storms, director of security at nCircle, a malicious DLL file can ride on in unnoticed and a hacker can then execute code changes remotely.

"The big question of the day doesn't concern third-party application developers that didn't follow Microsoft's programming advice and so are vulnerable to this category of attack," said Storms. "The big question is, which of Microsoft's own products are vulnerable? Microsoft information so far is still skirting this important question."

A consensus among security experts is that the best mitigation, other than to wait and see what Microsoft says in its advisory (which should be released anytime this week), is to block Windows Server Message Block (SMB) at the perimeter and disable Web client service.

Exploit research expert H.D. Moore gave more background on Sunday about how the hack actually goes down, through his proofs of concept outlined in this blog post.

Also, in February, Taeho Kwon and Zhendong Su at The University of California at Davis, published "Automatic Detection of Vulnerable Dynamic Component Loadings," a scholarly look at the subject .

Kwon and Su's work is significant as Kwon told Computerworld this week that he didn't think Microsoft intended to patch the issue, but instead would fix the problem in upcoming Windows OS and Microsoft Office service packs.

For its part, Microsoft said it is investigating whether any of its own applications are affected by insecure library loading vulnerabilities and will "take appropriate action to protect its customers." These "appropriate actions," of course, could include more detailed workarounds, updates in new service packs or even a reversal of the stance on not patching this issue.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

  • Microsoft Browser Support for TLS 1.0 and 1.1 Ending 2H 2020

    Microsoft announced on Tuesday that its plans to drop support for Transport Layer Security (TLS) protocols 1.0 and 1.1 in its browsers will get delayed by a few months until the second half of this year.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.