Results 1 to 10 of 501

Thread: Old MS Alerts

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 2010-08-24, 02:57 #1
    AplusWebMaster
    AplusWebMaster is offline
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS Security Advisory (2269637)

    FYI...

    Microsoft Security Advisory (2269637)
    Insecure Library Loading Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...y/2269637.mspx
    August 23, 2010 - "Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries. This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security*, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected. In addition to this guidance, Microsoft is releasing a tool** that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.
    Mitigating Factors:
    • This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security*, that recommend alternate methods to load libraries that are safe against these attacks.
    • For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
    • The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability..."

    * http://msdn.microsoft.com/en-us/libr...12(VS.85).aspx
    8/19/2010

    ** http://support.microsoft.com/kb/2264107
    Last Review: August 25, 2010 - Revision: 3.0

    More... DLL Preloading remote attack vector
    - http://blogs.technet.com/b/srd/archi...ck-vector.aspx
    23 Aug 2010

    - http://isc.sans.edu/diary.html?storyid=9445
    Last Updated: 2010-08-24 17:01:04 UTC ...(Version: 3) - "... UPDATE 2: We received some e-mails about active exploitation of this vulnerability in the wild... it appears that the attackers so far are exploiting uTorrent, Microsoft Office and Windows Mail... applications for which Proof of Concept exploits have been published... be very careful about files you open from network shares..."

    - http://www.us-cert.gov/current/#micr...rity_advisory5
    August 24, 2010 - "... publicly available exploit code for this vulnerability... workarounds may reduce the functionality of the affected systems. Workarounds include:
    • disabling the loading of libraries from WebDAV and remote network shares
    • disabling the WebClient service
    • blocking TCP ports 139 and 445 at the firewall ...

    - http://securitytracker.com/alerts/2010/Aug/1024355.html
    Aug 24 2010
    ___

    - http://blog.eset.com/wp-content/media_files/DLLvuln.png
    August 26, 2010
    ___

    Insecure Library Loading Vulnerability:
    Release Date: 2010-08-25

    Microsoft Windows Address Book...
    - http://secunia.com/advisories/41050/
    uTorrent...
    - http://secunia.com/advisories/41051/
    Adobe Photoshop...
    - http://secunia.com/advisories/41060/
    Microsoft Office PowerPoint...
    - http://secunia.com/advisories/41063/
    Wireshark...
    - http://secunia.com/advisories/41064/
    Opera...
    - http://secunia.com/advisories/41083/
    Mozilla Firefox...
    - http://secunia.com/advisories/41095/
    Windows Live Mail...
    - http://secunia.com/advisories/41098/
    Microsoft Office Groove...
    - http://secunia.com/advisories/41104/
    VLC Media Player...
    - http://secunia.com/advisories/41107/
    avast! Antivirus...
    - http://secunia.com/advisories/41109/
    Adobe Dreamweaver...
    - http://secunia.com/advisories/41110/
    TeamViewer...
    - http://secunia.com/advisories/41112/

    ... Criticality level: Highly critical
    Impact: System access
    Where: From remote
    Solution Status: Unpatched ...
    ___

    - http://secunia.com/blog/120
    24 August 2010 - "... the discovery of the remote vector just made this serious... The vulnerability is not in the Windows OS itself, but is caused by bad (insecure) programming practises in applications when loading libraries combined with how the library search order works in Windows. Ideally, when loading a library (or running an executable), a fully qualified path should be passed to the APIs used (e.g. LoadLibrary()). In case a programmer refrains from doing so and only supplies the library name, Windows searches for the file in a number of directories in a particular order. These directories may include the current working directory, which leads to the core of the problem related to the new, remote attack vector as Windows eventually searches for the file on e.g. a remote SMB or WebDAV share if that happens to be the current directory. This is the case if a user e.g. is tricked into opening a file located on a remote share. By placing a malicious library, which a vulnerable application searches for, on the share it is loaded into the application and code is executed with the privileges of the user running it. As the core problem is not in Windows, but rather caused by applications loading libraries insecurely (i.e. not supplying a fully qualified path or not initially calling SetDllDirectory() with a blank path), Secunia will not be issuing a general advisory for Windows. Instead, (likely, quite a lot of) advisories will be issued as affected applications are identified. Currently, we are seeing reports from various researchers having identified everywhere between 40 to 200 vulnerable applications, but the actual number may be a lot higher..."

    - http://www.kb.cert.org/vuls/id/707943
    Date Last Updated: 2010-08-25

    Last edited by AplusWebMaster; 2010-08-28 at 11:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules