DLL Search Path Vulnerabilities in Microsoft Windows Applications
( MS10-096, MS10-093, MS10-097, MS10-094, MS10-095, CVE-2010-3147, CVE-2010-3967, CVE-2010-3144, CVE-2010-3965, CVE-2010-3966 )
Summary
Microsoft has identified additional Microsoft Windows applications that are vulnerable to "binary planting" or "DLL preloading attack" exploits that were initially reported in Security Advisory 2269637. Microsoft Office was patched earlier, as described in MS10-087. Successful exploitation of this vulnerability in these applications may allow execution of arbitrary code on a target system.
Details
Several Windows applications - Address Book, Movie Maker, Microsoft Internet Connection Signup Wizard, and Windows Media Encoder - use an insufficiently qualified search path that those applications use to find and load Dynamic Link Libraries (DLLs). The same vulnerability exists in the Branch Cache WAN bandwidth optimization functionality included in some versions of Windows. A remote attacker may exploit this issue by convincing a user to open a legitimate file that is located in the same network directory as a specially crafted DLL file. Opening the legitimate file could result in the application also loading the malicious DLL, which can lead to execution of arbitrary code on the affected system.
Affected Products
Please see the CPAI links below for the operating systems and versions affected by this vulnerability.
Solution
Check Point IPS Software Blade, IPS-1, and NGX SmartDefense provide network protection in the latest IPS update by detecting and blocking suspicious DLL files over CIFS. For more information, see CPAI-2010-340, CPAI-2010-341, CPAI-2010-344, CPAI-2010-343, and CPAI-2010-342.
Originally Published:
Last Updated: 14-Dec-2010