Microsoft confirms remote code-execution bug

This is in continuation to my yesterday’s blog.

Microsoft’s advisory has confirmed that the attacks exploit a weakness in the way programs load associated libraries. The binary files can be located in a variety of directories, including those on networks controlled by a malicious hacker.

According to Microsoft the vulnerability exists in Windows applications made by third-party developers however it is still investigating whether any Microsoft programs are susceptible to the “binary planting” or “DLL preloading attacks”.

According to Microsoft Security Response Center blog, this issue cannot be directly addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. The attack works because many applications ignore best security practices and search for the library based only on the file name, rather than the full directory path. When the current working directory is set to one controlled by the attacker, it’s possible to load a malicious file.

Microsoft suggests that admins disable WebDAV and block outgoing SMB connections on ports 445 and 139. Additionally it has also released a software tool that changes the way Windows searches for DLL files. There are different versions of tool depending upon the Windows versions you use. You can download the tool from here.