The most recent exploit that has been identified for windows systems is in fact, NOT a vulnerability for the Windows OS itself, but more a vulnerability in possibly hundreds of windows APPLICATIONS that are coded incorrectly. This means that it can’t be fixed by Microsoft and will require application patches. Below are just four of the applications identified at this point. The ‘solution’ as it is currently offered is to NOT OPEN UNTRUSTED FILES. At somepoint, it is expected that all applications will be patched, but it will take months if not potentially years.
You can read some more details about this at the following links – http://isc.sans.edu/diary.html?storyid=9445 (the comments are very informative)
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
https://ca.secunia.com/?page=viewadvisory&vuln_id=41095
DESCRIPTION:
A vulnerability has been discovered in Mozilla Firefox, which can be
exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to the application loading libraries
(e.g. dwmapi.dll) in an insecure manner. This can be exploited to
load arbitrary libraries by tricking a user into e.g. opening an HTML
file located on a remote WebDAV or SMB share.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 3.6.8 for Windows. Other
versions may also be affected.
SOLUTION:
Do not open untrusted files.
http://secunia.com/advisories/41050/
DESCRIPTION:
A vulnerability has been discovered in Microsoft Windows, which can
be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to the Address Book application
(wab.exe) loading libraries (e.g. wab32res.dll) in an insecure
manner. This can be exploited to load arbitrary libraries by tricking
a user into e.g. opening a vCard (.vcf) located on a remote WebDAV or
SMB share.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in a fully patched Windows XP SP3,
Windows Server 2003 R2 Enterprise SP2, Windows Vista Business SP1,
Windows 7 Professional, and Windows Server 2008 Enterprise SP2. Other
versions may also be affected.
SOLUTION:
Do not open untrusted files.
http://secunia.com/advisories/41110/
DESCRIPTION:
A vulnerability has been discovered in Adobe Dreamweaver, which can
be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to the application loading libraries
(e.g. MFC90LOC.DLL and dwmapi.dll) in an insecure manner. This can be
exploited to load arbitrary libraries by tricking a user into e.g.
opening a CSS file located on a remote WebDAV or SMB share.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in Adobe Dreamweaver CS5 version 11.0
Build 4916. Other versions may also be affected.
SOLUTION:
Do not open untrusted files.
http://secunia.com/advisories/41083/
DESCRIPTION:
A vulnerability has been discovered in Opera, which can be exploited
by malicious people to compromise a user’s system.
The vulnerability is caused due to the application loading libraries
(e.g. dwmapi.dll) in an insecure manner. This can be exploited to
load arbitrary libraries by tricking a user into e.g. opening a HTML
file located on a remote WebDAV or SMB share.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 10.61 installed on Windows
XP SP3. Other versions may also be affected.
SOLUTION:
Do not open untrusted files.
Update
If you want to get an idea of what is currently being identified as performing insecure library loading, look here – http://secunia.com/advisories/historic/ or http://www.vupen.com/english/security-advisories/
– the list is starting to get a little long.
Here are two external lists also – http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
Keywords to look for – Insecure Library Loading Vulnerability
I see applications like VLC Media Player – Winamp – Adobe Illustrator – Microsoft Windows Backup – Real Player – Snagit – Mozilla Firefox and also Thunderbird.
Which kind of raises the question, is this going to be a vendor specific exposure with some vendors having the vulnerability throughout their software products? If so, that might be good news – it will probably make it more likely that vendor X will patch these exposures rapidly under those conditions.