According to the latest Microsoft advisory, this exploit involves a remote attack vector for a specific class of vulnerabilities that affect how applications load external libraries in Windows.
Microsoft said an attacker who completes a sucessful exploit would aquire the same rights as the logged in user and, if logged in as the administrator, would have complete control of an affected system.
The likely exploit scenario, according to Jonathan Ness and Maarten Van Horenbeeck of the Microsoft Security Response Center (MSRC), is a two-step attack where users must “open a file hosted on an attacker-controlled SMB or WebDAV share. The file itself would not necessarily be malicious or malformed”, the duo warned in an MSRC blog posting, adding “The key is that the file is loaded from a location where an attacker can also place a malicious DLL with the same name as a DLL the vulnerable application loads”.
“If a perimeter firewall prevents a system from making outbound SMB or WebDAV connections to attacker-controlled locations, this issue poses little risk”, Ness and Van Horenbeeck claimed. “An attack cannot be automatically launched through email or web browsing attack vectors; a user must choose to open a file.”
“However we recognize that users will often open trusted filetypes. We continue to recommend that all outbound SMB is filtered at the perimeter firewall.”
Indeed, the subsequent Microsoft security advisory recommends that users disable the loading of libraries from WebDAV and remote network shares.
In response to the vulnerability, Microsoft has issued tool packages for each of its supported operating systems that inhibits the loading of libraries from network shares.
Christopher Budd, senior security response communications manager with Microsoft, said this tool would allow system administrators to mitigate risks associated with the DLL vulnerability by “altering the library-loading behavior for the operating system or for specific applications”.
He also added that Microsoft has issued guidance for developers so they can avoid the vulnerability and take measures to ensure that libraries called by programs load correctly.
Dozens of popular applications are thought to be affected by the DLL bug, including web browsers Google Chrome, Mozilla Firefox, Apple Safari, and Opera, in addition to common productivity apps such as PowerPoint 2010, Microsoft Word, Adobe Dreamweaver, and Adobe Photoshop.
Security firm Vupen Security is currently tracking applications with known vulnerabilities to the DLL hijacking bug on its website.
Microsoft did not release its own initial list of vulnerable applications, only to say that the company is currently investigating applications affected by the issue and notifying developers who may also be affected, while assuring it would “take appropriate action to protect [its] customers”.