Microsoft Warns Users Of DLL Preloading Attack Vector

Microsoft released a security advisory warning users of a newly discovered critical attack vector leading to a known DLL(dynamic linked library) preloading vulnerability that could enable hackers to launch malicious code on user's Windows systems.

Unlike other Microsoft security advisories that warn users of vulnerabilities in Windows applications, this one alerts users to a new attack vector that could enable hackers to exploit an established class of vulnerabilities, Microsoft said.

"This is different from other Microsoft Security Advisories because it's not talking about specific vulnerabilities in Microsoft products. Rather, this is our official guidance in response to security research that has outlined a new, remote vector for a well-known class of vulnerabilities, known as DLL preloading or 'binary planting 'attacks," said Christopher Budd, Microsoft senior security response communications manager, in a blog post Monday.

The binary planting vulnerabilities themselves are nothing new. Researchers at Acros Security first discovered the issues back in March, and alerted Microsoft to two of the 121 binary planting issues they'd discovered in 41 of Microsoft's applications.

"During the research, we've been privately notifying our customer about bugs in their products and made it possible for them to fix them before the research would get published," Acros researchers wrote in a blog post Tuesday. "At some point, though, it became clear that a publication of such a heavily populated class of remotely exploited vulnerabilities could easily cause a serious global security problem of billions of Windows users and organizations had no way to protect themselves—not just from the bugs we've found, but also from other bugs that some less law-abiding netizens would start discovering and exploiting."

While Microsoft was "not unaware of the problem," its researchers were "genuinely surprised at its ubiquity and remote exploitability," the Acros blog post said.

Specifically, the attack vector could pave the way for hackers to exploit DLL preloading vulnerabilities, which occur in how the applications load external libraries. The issue enables hackers to launch malicious code remotely when a user opens a vulnerable application by opening a file from an untrusted source.

In an attack scenario, a hacker tricks an application into loading a malicious library by thinking it’s a trusted library, which occurs by labeling the file with a shortened trusted name, as opposed to its full name. The attacker could then place the malicious file in a current working directory, which the system could search and locate first before looking in other files. Subsequently, the malicious library would then be loaded first, executing malicious code into the application.

Previously, an attacker could launch these kinds of attacks by planting a malicious library on the local client. However, Microsoft's latest research uncovered how an attacker could execute a malicious attack by uploading a specially crafted library on a network share, such as WebDAV or SMB. The attacker could create a data file opened by the vulnerable application, create a malicious library used by the vulnerable application and post both of them to a network share that could be accessed by other users. The attacker would then have to entice the user into opening the malicious library, which would automatically execute arbitrary code on the user's machine.

Once the vulnerability was exploited, an attacker could take complete control of a user's system to steal financial and personal data, among other things.

In addition to its advisory, Microsoft released a workaround tool designed to mitigate the threat by changing the way the library is loaded over the entirety of the system or for specific applications. Essentially the tool disables the loading libraries from WebDAV and remote network shares, but could be configured to allow some loading on a per-application basis.

"While the best protection is following best practices, we are able to provide an additional layer of defense by offering a tool that can be configured to disable the loading of libraries from network shares," Budd wrote.

As additional workarounds, Microsoft recommended disabling the WebClient service and blocking TCP ports 139 and 445 at the firewall. Microsoft researchers also suggested that users regularly install updates from third-party vendors that address insecure library loading, protect their computers by enabling a firewall, keep up-to-date antivirus software and keep Windows systems regularly updated.

Microsoft said it was further investigating which of its own applications are affected, and has also reached out to third party vendors to inform them of available mitigations in the operating system.