MIcrosoft has told a researcher that it won't patch a problem that has left scores of Windows applications open to attack.
According to a growing number of reports, crucial Windows functionality has been misused by countless developers, including Microsoft's, leaving a large number of Windows programs vulnerable to attack because of the way they load components.
The issue first surfaced last week when HD Moore, chief security officer of Rapid7 and creator of the open-source Metasploit hacking toolkit, said he had found 40 vulnerable applications, including the Windows shell. A day later, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began in November 2008.
Over the weekend, Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis, stepped forward to cite his research, which he published in a February 2010 paper.
All these researchers have pointed out that many Windows programs can be exploited by hackers who trick users into visiting malicious Web sites because of the way the software loads code libraries -- dubbed "dynamic-link library" in Windows, which marks them with the ".dll" extension -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for a .dll, .exe or .com file, they can hijack the PC.
Today, Kwon said that he reported four serious vulnerabilities to Microsoft in August 2009 after finding flaws in nearly 30 Windows programs, including Office 2007, Adobe Reader and all the major browsers.
During the back-and-forth between Kwon and engineers in the Microsoft Security Response Center (MSRC) about the remotely-executable bugs, the latter told Kwon that the company won't ship a security bulletin, but instead will address the problem in upcoming Windows and Office service packs.
According to Kwon, Microsoft declined to deliver a patch because "the root causes [of the vulnerabilities] are in other vendors' products." Microsoft also told Kwon it intended to work with the companies whose software contained flaws.
In an e-mail today to Computerworld, Kwon quoted a statement he said he received from Microsoft.
"For the two specific vulnerabilities that have been identified in this paper Microsoft has agreed to work with these vendors on behalf of the authors through the MSVR (Microsoft Vulnerability Research) program," Microsoft said. "As there are application compatibility concerns in changing the way 'Loadlibrary' and 'SetDllDirectory' work currently, Microsoft intends to address the underlying issue in a Service Pack or next version of Office products."
Microsoft's decision won't come as a surprise to the researchers who have publicized the problem.
Last week, for example, Moore said it was unlikely Microsoft could come up with a fix. "There may be work-arounds available, but the core issue is with the application itself, not Windows," he said at the time. "There may be fixes that can be applied at the OS level, but these are likely to break existing applications."
Kwon said much the same today, but was optimistic that changes to Windows in a service pack -- the irregularly-released major updates to Windows -- could help. "I believe that some Windows-level patches, such as the service packs mentioned by Microsoft, can mitigate this issue," he said. "However, it may not completely solve this problem because of backward compatibility concerns."
The component-loading problem that Kwon, Moore and Acros Security have referred to since late last week is not new, but goes back at least a decade to a bug report filed in 2000. The attention the issue is getting now, said Kwon, is due in part to an uptick in attacks that rely on a combination of vulnerabilities, or lean heavily on social engineering tricks to get users to click on malicious links.
Old or new, the problem is systemic, said Mitja Kolsek, CEO of Acros Security.
"Judging from our research results ... we can safely say that all Windows users can at this moment be attacked via at least one remote binary planting vulnerability," Kolsek said in a post to a blog the Slovenian firm kicked off Monday.
Microsoft declined to comment on Kwon's claims that the company will not -- or cannot -- deliver a fix by patching Windows.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.