Insecure library loading vulnerability affects 176 popular programs
During the middle of August, 2010, public details began to emerge about a long-standing vulnerability afflicting dozens of popular programs and how they load dynamic link library files (.dll). Soon after the details were published, hacker sites began posting exploit codes. Now, cybercriminals are using these vulnerabilities in multi-exploit kits, in attacks against your applications, browsers and their plug-ins.
On August 23, 2010, Microsoft published an advisory about the DLL vulnerability, then updated it on Aug 31. In that advisory one can read about recommended workarounds and mitigating factors. There is a link on that page to a MS Fix-It tool page, titled: "A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm" - which requires one to first apply a Registry fix shown on that page. Be forewarned, this is a lot of highly technical stuff. I recommend that anybody capable of reading through the Microsoft advisory and workaround pages apply the fixes as soon as possible. The rest will have to wait until a suitable patch is available via Windows Updates.
At the time I posted this article, the security firm Secunia has identified 176 programs and operating systems that can be exploited by directing one of these applications to load a remotely hosted hostile file, when the targeted program opens, or opens an associated file. The exploited files are .dll libraries, which just about every Windows program uses as includes to add functionality to the main program executable. The .dll files are actually executable files, but only when called by another executable. They are technically referred to as Portable Executable, or PE files.
Of these 176 programs, Microsoft is responsible for 20, including numerous operating systems, like Windows XP, Vista and 7, its MS Office applications, and the Windows Live Mail email client. ALl remain unpatched as of October 11, 2010. Watch for some possible fixes on Patch Tuesday, October 12, 2010. Hopefully, some, is not all of the vulnerable Microsoft programs will be patched. It has almost been two months since the public disclosure. C'mon, Microsoft!
Seven popular Nero and Roxio CD burning programs are affected, as are media players WinAmp and RealPlayer. BlackBerry Desktop Software version 3 through 5 are vulnerable. Even QuickBooks 2010 made the vulnerable list!
You can look over the complete list of vulnerable programs, and see which ones have had patched versions released. If you see apps that you are using on this list, and they are unpatched, your best protection is to reduce your user privileges. If you use Windows XP, a Limited User account is the safest. For Windows XP Professional, Vista and 7, a Standard (XP Power User), or Limited account is safer than an Administrator account. Operating with reduced user privileges also reduces any danger of exploitation, or lessens the impact of exploitation to just that account, rather than the entire operating system.
If you are browsing the Internet with Internet Explorer, try switching to Mozilla Firefox instead. Firefox has already been patched against the .dll loading vulnerability.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
This weblog is licensed under a Creative Commons License.The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
