Microsoft Warns of DLL Flaw Involving Remote Servers

Microsoft issued a security advisory this evening about an old hacking trick that could affect Windows systems via remote servers.

The hack involves a problem with poorly written applications that call libraries (.DLL files) without specifying a path. The application looks into the local directory for the library, and, at that point, it can load malware (disguised as the library file) that could enable the attacker to gain the same Windows network privileges as the user. While this problem is well known and referred to as "DLL preloading attacks" or "binary planting," the new information triggering this latest security advisory is that such attacks can be accomplished using remote servers.

Microsoft's security advisory (2269637) notes that the problem is confined to flawed applications that "do not load external libraries securely." Also, the vulnerable application has to access "an untrusted remote file system location or WebDAV share" for the exploit to occur. Microsoft describes this flaw as "a new attack vector" for such exploits, as it was previously conceived as just a potential problem confined to local servers.

The problem is either associated with remote servers using WebDAV (or "Web-based Distributed Authoring and Versioning"), which is used with Internet Information Services in Windows, or with remote servers using the Server Message Block (SMB) protocol. One potential mitigating factor that can thwart such attacks is that the SMB file sharing protocol is typically "disabled on the perimeter firewall," according to Microsoft's advisory.

Microsoft is currently offering workarounds for supported Windows versions, as described in the security bulletin. IT pros can use a tool described in Knowledge Base article 2264107 to implement them. This tool disables library loading from remote networks or from WebDAV shares. It does that for specific applications or it can work across Windows systems. However, Microsoft has not yet publicly identified what applications have the vulnerability.

IT pros can also block "TCP ports 139 and 445 at the firewall" to protect Windows systems, according to the security advisory. However, various applications and services may not work with those ports blocked.

In general, Microsoft recommends that IT pros should test Windows systems if applying the workarounds. Some functionality may be diminished, a Microsoft Security Response Center (MSRC) blog post warns.

The exploit was pointed out by various independent security researchers, and Microsoft is continuing to worth with them and the software industry to "identify and address vulnerable applications," according to the MSRC blog. Microsoft plans to notify the public through "security advisories, security bulletins and the MSRC weblog as appropriate."

The problem is quite broad, with all Windows applications potentially being suspect. Microsoft has published best practices for application developers to help avoid this issue, but the guidelines might not have been that clear, Microsoft acknowledged in a security research and defense blog post.

"We recently published an MSDN article, 'Dynamic-Link Library Security,' that provides specific guidance to developers on how to load these libraries securely," the blog explained.

Microsoft is examining its own applications to see if they are affected. However, Computerworld's Gregg Keizer has already received a description from one of the researchers involved, Taeho Kwon, indicating that Microsoft Office 2007 and Internet Explorer have the flaw.

Keizer also noted that HD Moore, chief security officer at Rapid7, and Slovenian security company Acros, have noted the vulnerabilities. Acros found "more than 200 flawed Windows programs," according to Keizer's story.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.