Last week, we released Security Advisory 2269637 notifying customers of a publicly disclosed remote attack vector to a class of vulnerabilities affecting applications that load dynamic-link libraries (DLL’s) in an insecure manner. At that time, we also released a tool to help protect systems by disallowing unsafe DLL-loading behavior.
Today we wanted to provide an update by answering several questions we have received from customers and addressing common misperceptions about the risk posed by this class of vulnerability.
The user experience of the exploit in progress
This class of vulnerabilities does not enable a “driveby” or “browse-and-get-owned” 0-click attack. To be exploited, a victim would need to browse to a malicious WebDAV server or a malicious SMB server and double-click a file in the Windows Explorer window that the malicious server displays. Let’s walk through an example of what an attack might look like:
First, the user browses to a malicious website:
The website would then attempt to display a new Windows Explorer window that points to a malicious WebDAV or SMB share. On systems running Protected Mode, Internet Explorer will require user consent to launch Windows Explorer, using a security warning like the one below. Protected Mode is enabled by default for Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
After the user allows Windows Explorer to launch (or if they have previously requested that Internet Explorer no longer display this warning), the user will be presented with a Windows Explorer dialog that is likely to look like the one below:
At this point, if the user were to double-click the data file on the share, the affected application could potentially run attacker code that is separately hosted on the same WebDAV server.
The dangers of untrusted, Internet-zone WebDAV
As described above, this class of vulnerabilities could allow malicious code to run if an attacker can convince a victim to do the following:
Unfortunately, based on attack patterns we have seen in recent years, we believe it is no longer safe to browse to a malicious, untrusted WebDAV server in the Internet Zone and double-click on any type of files. Attackers are clever, substituting dangerous file icons with safe, trusted file icons. They have even recently begun obfuscating the filename based on character encoding tricks (such as right-to-left character encoding). Their goal is to entice unsuspecting users into double-clicking on a malicious executable. With or without this new remote vector to the DLL Preloading issue, it’s very hard to make a trust decision given the amount of control an attacker has over the malicious WebDAV server browsing experience. We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker.
Enabling the CWDIllegalInDllSearch protection tool
We have received several questions regarding the best way to enable the protection tool released on the Microsoft Download Center last week.
First, you should know that downloading and installing the tool alone will not protect a workstation from vulnerable applications. It ships “off-by-default” and must be enabled either system-wide or for specific applications. After releasing this tool, we received a number of questions on how best to deploy it. We have now updated the KB article to address them. We encourage you to review the updated knowledge base article 2264107.
Secondly, customers have asked us to recommend the best setting among the three choices. We recommend one of two settings, depending on the specific risk about which you are concerned.
Note: The Fix-it itself does not install the workaround tool. You’ll need to separately download and install the tool beforehand.
This section option can be enabled by following these steps:
While the impact of the above change seems to be low, a reader of this blog wrote in that he experienced a compatibility issue with the Outlook 2002 address book. If you experience issues such as this, they can be mitigated by setting a special policy for the affected binaries that overrides the default CWDIllegalInDllSearch. The following steps show how to do this for OUTLOOK.EXE:
This will still prevent OUTLOOK.EXE from loading DLL’s from a remote network share or WebDAV location, but it does not remove CWD from the library search path for this application altogether. This process can be repeated for all other applications that may no longer work correctly. As discussed, we don’t believe this will be common, but we do recommend testing.
Thanks for your interest in this issue. Please send questions in to firstname.lastname@example.org.
Jonathan Ness, MSRC EngineeringMaarten Van Horenbeeck, MSRC Program Manager
*Posting is provided "AS IS" with no warranties, and confers no rights.*