-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                    National Cyber Alert System

              Technical Cyber Security Alert TA10-238A


Microsoft Windows Insecurely Loads Dynamic Libraries

   Original release date: August 26, 2010
   Last revised: --
   Source: US-CERT


Systems Affected

     Any application running on the Microsoft Windows platform that
     uses dynamically linked libraries (DLLs) may be affected. Whether
     or not an application is vulnerable depends on how it
     specifically loads a DLL. Please see the Vendor Information
     section of Vulnerability Note VU#707943 for information about
     specific vendors.


Overview

   Due to the way Microsoft Windows loads dynamically linked libraries
   (DLLs), an application may load an attacker-supplied DLL instead of
   the legitimate one, resulting in the execution of arbitrary code.


I. Description

   Microsoft Windows supports dynamically linked libraries (DLLs) that
   are loaded when needed by an application. DLLs are typically loaded
   when the application is first started; however DLLs may be loaded
   and unloaded while the application is running. An application can
   request a DLL file in a variety of ways, and Windows uses several
   different search algorithms to find DLL files. The interaction
   between the application and Windows can result in a DLL file being
   loaded from the current working directory of the application,
   instead of the Windows system directory or the directory where the
   application is installed.

   The current working directory could be the desktop, a removable
   storage device such as a USB key, a Windows file share, or a WebDAV
   location. When a file associated with an application is opened, a
   DLL in the same directory as the file may be loaded. Although an
   attacker may not have permission to write to the Windows system or
   application directories, the attacker may be able to write a DLL to
   a directory used to store files, or the attacker could provide
   their own directory.

   Attacks against this type of vulnerability have been referred to as
   "binary planting." Please see Vulnerability Note VU#707943 and
   Microsoft Security Advisory 2269637 for more information.


II. Impact

   By placing a DLL with the correct name (and possibly the relative
   directory path) in the current working directory, an attacker could
   execute arbitrary code with the privileges of the application that
   loads the DLL.


III. Solution

   Individual applications that run on the Windows platform may
   require patches or updates. Microsoft Knowledge Base article
   KB2264107 describes an update that provides a registry key that can
   prevent Windows from searching the current working directory for
   DLL files.

   Information about specific solutions for different vendors, general
   mitigation techniques, and secure ways for applications to load
   DLLs can be found in the Vendor Information and Solution sections
   of Vulnerability Note VU#707943.


IV. References

 * Vulnerability Note VU#707943 -
   <http://www.kb.cert.org/vuls/id/707943>

 * Microsoft Security Advisory (2269637) -
   <http://www.microsoft.com/technet/security/advisory/2269637.mspx>

 * A new CWDIllegalInDllSearch registry entry is available to control
   the DLL search path algorithm -
   <http://support.microsoft.com/kb/2264107>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA10-238A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA10-238A Feedback VU#707943" in
   the subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2010 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

Revision History

  August 26, 2010: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTHbPuj6pPKYJORa3AQI0Rwf+JjLbBdWxKa+8pzCefxhs+maIjzihg/vN
ZNF90uuFgMAdIrTD7+Qlv6TUc3ep/O28Dg11K8rXaOfxeyPsItMwpbz7vrpoUC5W
qvu6pYQnmhW/egryPPC8cwFecuDaTNNWDShwQ8oULXnp2mfj9q3LUvVOvLXaiwXs
rivmLthvhCjWBYpYFBb9yHjHOcQd4JQ0LS4A4BRzXGKTTgMnRvawPeHFQvsMlR0M
plrIJ4Lht3eOis97Rot9BIIcYytM74ctz6TwCwOz5JPTA1ncikEzoLhaKCQ2egpq
GmyjcQLo83JWRxDkBE9EkBhkpOjyhsvpVLZoJrqpkwKtJMUVeLcBBw==
=M/vJ
-----END PGP SIGNATURE-----