by David Lingenfelter, Fiberlink

Microsoft released this week information about an issue in their OS that has made hundreds of applications that run on Windows vulnerable to attack. 

Here’s the security advisory from Microsoft: http://www.microsoft.com/technet/security/advisory/2269637.mspx

The vulnerability basically allows applications to start DLLs that are on remote network shares.  A DLL (Dynamic Link Library) is a piece of code used by applications to help them run.  Typically when an application is installed the associated DLLs are either placed in a standard directory (C:\Windows\System32) or in the same directory that the application is installed in.  The flaw allows the applications to start DLLs that are not on the local workstation.  This means that if you attach to a network share and click on a file on that network share and it starts an application on your local workstation that application may actually call a malicious DLL that is saved on that network share rather than your local workstation. 

Here are a couple more articles on the vulnerability:

• http://isc.sans.edu/diary.html?storyid=9445
• http://www.zdnet.com/blog/security/details-emerge-on-new-dll-load-hijacking-windows-attack-vector/7204
• http://www.pcworld.com/businesscenter/article/204017/microsoft_applications_plagued_by_binary_planting_flaw.html

Some of the application impacted by this are Windows Office, WireShark, Firefox (v3.6.8), Windows Live Mail, etc.  Basically be expecting a lot of patches to be coming out over the upcoming weeks.  To limit your personal exposure be sure you know and trust the location of the files you are opening. 

MaaS360 Patch Analyzer provides access to detailed information about installed and missing patches including Product, Title, KB Article ID, Bulletin ID, Severity, Category, and More Info URL to Microsoft® TechNet.