A flaw in the way Microsoft and some third party applications preload shared files in Windows will be addressed by the software maker over time, but until then Microsoft is urging customers to install a new tool and an automated temporary patch to block attacks attempting to exploit the flaw.
Even with improved guidance, we recognize that it may take quite a bit of time for all affected applications to be updated and for some an update may not be possible.
group manager of response communicationsMicrosoft
In an update on an ongoing Microsoft investigation into a dynamic-link library (DLL) preloading vulnerability, Microsoft said it would issue security updates to address the vulnerability in its applications. The software giant rated the flaw important because a user would need to click through a series of warnings and dialogs to open a malicious file attempting to exploit the vulnerability.
"DLL preloading is a well-known class of vulnerabilities and we have had guidance for developers in place for quite some time. We have recently updated that guidance to provide more clarity," wrote Jerry Bryant, Microsoft's group manager of response communications in the Microsoft Security Response Center blog. "Even with improved guidance, we recognize that it may take quite a bit of time for all affected applications to be updated and for some an update may not be possible."
The DLL preloading issue surfaced late last month when security researcher and Metasploit architect H.D. Moore, CSO at Rapid7, published details about the DLL load hijacking issue, along with a generic exploit module for the Metasploit framework and an audit kit to identify affected applications on a system. Moore said he published the details after a Slovenian security firm published an advisory about a "binary planting" flaw in iTunes.
Microsoft issued a security advisory Aug. 23, with updated guidance for developers and a new tool that could prevent unsafe DLL loading. In addition a temporary automated patch has been developed to address network-based attack vectors, Microsoft said.
"Customers should note that the tool is limited to protecting against DLL preloading only and does not protect against .exe files that do not properly load files via a fully qualified path and developers will be required to update those applications accordingly," Bryant said.