'Old-new' Windows vulnerability discovered

Warnings have been made about a ‘new' zero-day flaw in Windows that could make applications vulnerable.

The flaw was reported by Mitja Kolsek, CEO of application security consultancy Acros Security, who told The Register that around 200 Windows applications are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files for the Microsoft operating system.

He said that the critical vulnerability has already been patched in Apple's iTunes media player for Windows and VMware Tools, but for Windows it will be especially challenging to fix, as each application will ultimately need to receive its own patch.

H. D. Moore, CSO and chief architect of the Metasploit project, has previously told The Register that the flaw "applies to a wide range of Windows applications", and added that he found it while researching the Windows shortcut vulnerability that was patched earlier this month.

Speaking to SC Magazine, Chris Wyospal, CTO at Veracode, claimed that the remote code execution problem is an old issue, detailed in this Common Weakness and Enumeration (CWE) entry.

He said: “The class of problem is called a process control vulnerability, it is when the program needs to dynamically load a library to extend its functionality. If the attacker can control the library that is loaded they can load their own malicious code. If the program doesn't tightly control where the Dynamic-Link Library (DLL) is loaded from, this becomes an issue.

“The most common case is when the program loads the library from the current directory. It is easy for the attacker to change the current directory or find a way to get the user to do it, that seems to be what happens in iTunes when it goes to get a file from a particular directory. It changes the current directory and then looks to load a library of a specific name. If a malicious library is planted by an attacker, then that library is loaded and executed.

“This problem is serious and is definitely common. I just queried our customer data for the last 18 months and we have found this vulnerability 29 times in applications we have analysed. Each application that has this vulnerability will need to have its code changed via a patch or new release to fix it.”

Marco Giuliani at Prevx said: “From what we can read it looks like this vulnerability allows an attacker to execute arbitrary code by forcing some applications loading malicious files. We currently aren't aware of any more detail about this flaw, and looks like Rapid7 is going to release further details about it during this week. So we could just do some speculation about this zero-day flaw.

“While we could question the implementation of such search order, I do not think it is a Windows operating system problem itself. The logic behind runtime module loading is well documented by Microsoft and explained on MSDN. Moreover, both search order and LoadLibrary/LoadLibraryEx functions are well documented. This then becomes a problem of software developers and whether they decided to follow Microsoft's development guidelines or not.

“Actually this Windows behaviour has been exploited for years by malware and it has been discussed online many times. We actually don't know if this is the flaw discussed in the article, we only know that it would be a case of an 'old-new' zero-day flaw. But, again, it is only speculation. We have just to wait for someone releasing more details about it.”

See original article on scmagazineus.com