Microsoft has issued a security advisory about a flaw that could affect a huge number of third-party Windows applications.
The flaw, which was discovered by Acros Security, is called a “binary planting” bug and can be exploited as applications load dynamic link libraries (DLL). Acros discovered the flaw last year and was surprised at the extent of the problem.
“We first developed a tool for detecting these bugs and then, time permitting, subjected about 220 widely-used applications to the powers of our tool," said the company in a blog posting.
“[We were] initially expecting only a few bugs here and there, [so] we were surprised to find about 90 per cent of the applications vulnerable. And when I say 'vulnerable', I mean vulnerable to remote execution in a real-world scenario, without having any privileges on the user's computer.”
The flaw can be exploited by adding a malicious DLL to a media archive. If an application searches through directories for the DLL the malware can be activated.
Microsoft has now released a tool that can stop individual applications from searching for such DLL files in an insecure manner, and has issued advice on faulty code identification and firewall settings to mitigate expected attacks.
Microsoft’s Security Research and Defense team has also issued advice on how to deal with the issue and is investigating the extent of the problem. Third-party developers are also being asked to check their code.
“Loading dynamic libraries is basic behaviour for Windows and other operating systems, and the design of some applications requires the ability to load libraries from the current working directory,” said the team in a blog.
“Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads.”
The case is one of the first to use Microsoft’s controlled vulnerability disclosure (CVD) procedures, where flaw details are released before a patch is available.
Christopher Budd, senior security response communications manager at Microsoft, told V3.co.uk that a patch would be coming soon.
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago
Such an earthquake would lead to a complete stress release in this segment of the fault system
Four types of test were performed to assess the performance of parachutes that could be used in missions to Mars