Microsoft won't patch critical DLL loading bugs
Third-party vendors responsible for fixes; Microsoft may address issue in future service packs
Computerworld - MIcrosoft has told a researcher that it won't patch a problem that has left scores of Windows applications open to attack.
According to a growing number of reports, crucial Windows functionality has been misused by countless developers, including Microsoft's, leaving a large number of Windows programs vulnerable to attack because of the way they load components.
The issue first surfaced last week when HD Moore, chief security officer of Rapid7 and creator of the open-source Metasploit hacking toolkit, said he had found 40 vulnerable applications, including the Windows shell. A day later, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began in November 2008.
Over the weekend, Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis, stepped forward to cite his research, which he published in a February 2010 paper.
All these researchers have pointed out that many Windows programs can be exploited by hackers who trick users into visiting malicious Web sites because of the way the software loads code libraries -- dubbed "dynamic-link library" in Windows, which marks them with the ".dll" extension -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for a .dll, .exe or .com file, they can hijack the PC.
Today, Kwon said that he reported four serious vulnerabilities to Microsoft in August 2009 after finding flaws in nearly 30 Windows programs, including Office 2007, Adobe Reader and all the major browsers.
During the back-and-forth between Kwon and engineers in the Microsoft Security Response Center (MSRC) about the remotely-executable bugs, the latter told Kwon that the company won't ship a security bulletin, but instead will address the problem in upcoming Windows and Office service packs.
According to Kwon, Microsoft declined to deliver a patch because "the root causes [of the vulnerabilities] are in other vendors' products." Microsoft also told Kwon it intended to work with the companies whose software contained flaws.
In an e-mail today to Computerworld, Kwon quoted a statement he said he received from Microsoft.
"For the two specific vulnerabilities that have been identified in this paper Microsoft has agreed to work with these vendors on behalf of the authors through the MSVR (Microsoft Vulnerability Research) program," Microsoft said. "As there are application compatibility concerns in changing the way 'Loadlibrary' and 'SetDllDirectory' work currently, Microsoft intends to address the underlying issue in a Service Pack or next version of Office products."
Microsoft's decision won't come as a surprise to the researchers who have publicized the problem.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!