All the latest UK technology news, reviews and analysis
|
|
|
24 Aug 2010
Microsoft has issued a security advisory about a flaw that could affect a huge number of third-party Windows applications.
The flaw, which was discovered by Acros Security, is called a “binary planting” bug and can be exploited as applications load dynamic link libraries (DLL). Acros discovered the flaw last year and was surprised at the extent of the problem.
“We first developed a tool for detecting these bugs and then, time permitting, subjected about 220 widely-used applications to the powers of our tool," said the company in a blog posting.
“[We were] initially expecting only a few bugs here and there, [so] we were surprised to find about 90 per cent of the applications vulnerable. And when I say 'vulnerable', I mean vulnerable to remote execution in a real-world scenario, without having any privileges on the user's computer.”
The flaw can be exploited by adding a malicious DLL to a media archive. If an application searches through directories for the DLL the malware can be activated.
Microsoft has now released a tool that can stop individual applications from searching for such DLL files in an insecure manner, and has issued advice on faulty code identification and firewall settings to mitigate expected attacks.
Microsoft’s Security Research and Defense team has also issued advice on how to deal with the issue and is investigating the extent of the problem. Third-party developers are also being asked to check their code.
“Loading dynamic libraries is basic behaviour for Windows and other operating systems, and the design of some applications requires the ability to load libraries from the current working directory,” said the team in a blog.
“Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads.”
The case is one of the first to use Microsoft’s controlled vulnerability disclosure (CVD) procedures, where flaw details are released before a patch is available.
Christopher Budd, senior security response communications manager at Microsoft, told V3.co.uk that a patch would be coming soon.
Latest stories from Developer
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
TFL director of Games transport Mark Evers discusses how the public transport network is preparing for this summer's event
Connect with V3.co.uk
The wrong printers, for the wrong tasks on the wrong contracts
Who leads the BI pack and who should we be watching out for?
Head of Presales - Sip/Telephony My client is fast...
Service Desk Analyst / Desktop Support Circa £19k...
Infrastructure Project Manager Infrastructure Project...
Oracle Technical Architect - Senior, eBusiness, Fusion...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?