Posted by: Jay Dugan
binary planting bug, DLL preloading, malware, Microsoft, SMB, WebDAV
On Monday August 23, 2010 Microsoft released a security advisory regarding insecure library loading also known as “DLL preloading or “binary planting,” MS security advisory 2269637. DLLs or dynamic link libraries are modules of computer code that act as building block for many computer programs. According to Microsoft, poorly written programs allow hackers to disguise malware as a legitimate DLL that is loaded and executed when an unsuspecting user opens a file from an untrustworthy site.
Microsoft cautions that this problem only affects programs that do not load DLLs securely. In addition, users must visit an untrusted site and execute a file to initiate the attack.
Remote servers using Server Message Block (SMB) or web distributed authoring and versioning, WebDAV are vulnerable. Microsoft has a tool for IT pros that disables library loading from WebDAV shares, see KB2264107. Network Security Administrators should check that SMB is blocked at the firewall by default. TCP ports 139 and 445 can also be blocked, however; this should be tested first as some network functionality may be lost.
This alert is important because it points out a new vector for the type of malware that steals personal information such as credit card account numbers and passwords and contributes to identify theft. The extent of the problem is still not known and may affect not only third party programs but Microsoft applications as well. However, Microsoft has not been forthcoming with information in this regard.