Microsoft won't patch critical DLL loading bugs
Third-party vendors responsible for fixes; Microsoft may address issue in future service packs
Computerworld - MIcrosoft has told a researcher that it won't patch a problem that has left scores of Windows applications open to attack.
According to a growing number of reports, crucial Windows functionality has been misused by countless developers, including Microsoft's, leaving a large number of Windows programs vulnerable to attack because of the way they load components.
The issue first surfaced last week when HD Moore, chief security officer of Rapid7 and creator of the open-source Metasploit hacking toolkit, said he had found 40 vulnerable applications, including the Windows shell. A day later, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began in November 2008.
Over the weekend, Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis, stepped forward to cite his research, which he published in a February 2010 paper.
All these researchers have pointed out that many Windows programs can be exploited by hackers who trick users into visiting malicious Web sites because of the way the software loads code libraries -- dubbed "dynamic-link library" in Windows, which marks them with the ".dll" extension -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for a .dll, .exe or .com file, they can hijack the PC.
Today, Kwon said that he reported four serious vulnerabilities to Microsoft in August 2009 after finding flaws in nearly 30 Windows programs, including Office 2007, Adobe Reader and all the major browsers.
During the back-and-forth between Kwon and engineers in the Microsoft Security Response Center (MSRC) about the remotely-executable bugs, the latter told Kwon that the company won't ship a security bulletin, but instead will address the problem in upcoming Windows and Office service packs.
According to Kwon, Microsoft declined to deliver a patch because "the root causes [of the vulnerabilities] are in other vendors' products." Microsoft also told Kwon it intended to work with the companies whose software contained flaws.
In an e-mail today to Computerworld, Kwon quoted a statement he said he received from Microsoft.
"For the two specific vulnerabilities that have been identified in this paper Microsoft has agreed to work with these vendors on behalf of the authors through the MSVR (Microsoft Vulnerability Research) program," Microsoft said. "As there are application compatibility concerns in changing the way 'Loadlibrary' and 'SetDllDirectory' work currently, Microsoft intends to address the underlying issue in a Service Pack or next version of Office products."
Microsoft's decision won't come as a surprise to the researchers who have publicized the problem.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts