Microsoft won't patch critical DLL loading bugs
Third-party vendors responsible for fixes; Microsoft may address issue in future service packs
Computerworld - MIcrosoft has told a researcher that it won't patch a problem that has left scores of Windows applications open to attack.
According to a growing number of reports, crucial Windows functionality has been misused by countless developers, including Microsoft's, leaving a large number of Windows programs vulnerable to attack because of the way they load components.
The issue first surfaced last week when HD Moore, chief security officer of Rapid7 and creator of the open-source Metasploit hacking toolkit, said he had found 40 vulnerable applications, including the Windows shell. A day later, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began in November 2008.
Over the weekend, Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis, stepped forward to cite his research, which he published in a February 2010 paper.
All these researchers have pointed out that many Windows programs can be exploited by hackers who trick users into visiting malicious Web sites because of the way the software loads code libraries -- dubbed "dynamic-link library" in Windows, which marks them with the ".dll" extension -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for a .dll, .exe or .com file, they can hijack the PC.
Today, Kwon said that he reported four serious vulnerabilities to Microsoft in August 2009 after finding flaws in nearly 30 Windows programs, including Office 2007, Adobe Reader and all the major browsers.
During the back-and-forth between Kwon and engineers in the Microsoft Security Response Center (MSRC) about the remotely-executable bugs, the latter told Kwon that the company won't ship a security bulletin, but instead will address the problem in upcoming Windows and Office service packs.
According to Kwon, Microsoft declined to deliver a patch because "the root causes [of the vulnerabilities] are in other vendors' products." Microsoft also told Kwon it intended to work with the companies whose software contained flaws.
In an e-mail today to Computerworld, Kwon quoted a statement he said he received from Microsoft.
"For the two specific vulnerabilities that have been identified in this paper Microsoft has agreed to work with these vendors on behalf of the authors through the MSVR (Microsoft Vulnerability Research) program," Microsoft said. "As there are application compatibility concerns in changing the way 'Loadlibrary' and 'SetDllDirectory' work currently, Microsoft intends to address the underlying issue in a Service Pack or next version of Office products."
Microsoft's decision won't come as a surprise to the researchers who have publicized the problem.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts