All the latest UK technology news, reviews and analysis
|
|
|
24 Aug 2010
Microsoft has issued a security advisory about a flaw that could affect a huge number of third-party Windows applications.
The flaw, which was discovered by Acros Security, is called a “binary planting” bug and can be exploited as applications load dynamic link libraries (DLL). Acros discovered the flaw last year and was surprised at the extent of the problem.
“We first developed a tool for detecting these bugs and then, time permitting, subjected about 220 widely-used applications to the powers of our tool," said the company in a blog posting.
“[We were] initially expecting only a few bugs here and there, [so] we were surprised to find about 90 per cent of the applications vulnerable. And when I say 'vulnerable', I mean vulnerable to remote execution in a real-world scenario, without having any privileges on the user's computer.”
The flaw can be exploited by adding a malicious DLL to a media archive. If an application searches through directories for the DLL the malware can be activated.
Microsoft has now released a tool that can stop individual applications from searching for such DLL files in an insecure manner, and has issued advice on faulty code identification and firewall settings to mitigate expected attacks.
Microsoft’s Security Research and Defense team has also issued advice on how to deal with the issue and is investigating the extent of the problem. Third-party developers are also being asked to check their code.
“Loading dynamic libraries is basic behaviour for Windows and other operating systems, and the design of some applications requires the ability to load libraries from the current working directory,” said the team in a blog.
“Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads.”
The case is one of the first to use Microsoft’s controlled vulnerability disclosure (CVD) procedures, where flaw details are released before a patch is available.
Christopher Budd, senior security response communications manager at Microsoft, told V3.co.uk that a patch would be coming soon.
Latest stories from Developer
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Project Manager, London - Software Solutions (Project...
Project Manager - Hampshire - up to £32K - Fixed Term...
Senior Customer Support Consultant - 2nd/3rd Line Support...
C++/C#/Java developer for a global investment bank within...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?