Researcher told Microsoft of Windows apps zero-day bugs 6 months ago

UC Davis researcher names 28 vulnerable apps, claims four remote code vulnerabilities

Microsoft has known since at least February that dozens of Windows applications, including many of its own, harbor bugs that hackers can exploit to seize control of computers, an academic researcher said Sunday.

At least four of the bugs can be exploited remotely, Taeho Kwon, a Ph.D. candidate at the University of California Davis, said in a paper he published in February and presented last month at an international conference.

Kwon added his voice to a growing chorus of researchers who claim that a large number of Windows programs are vulnerable to attack because of the way they load components.

Last week, U.S. researcher HD Moore said he had found at least 40 vulnerable applications , including the Windows shell. The next day, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began four months ago.

According to Moore, Acros and now Kwon, many Windows programs can be exploited by hackers who trick users into visiting malicious Web sites because of the way the software loads code libraries -- dubbed "dynamic-link library" in Windows, which marks them with the ".dll" extension. If hackers can plant malware disguised as a .dll in one of the directories an application searches when it looks for the library, they can hijack the PC.

On Saturday, Kwon claimed his work preceded Moore's and Acros'.

In the paper he presented last month at the International Symposium on Software Testing and Analysis (ISSTA), Kwon said that he had submitted a bug report to the Microsoft Security Response Center (MSRC).

"[MSRC] is working with us to develop necessary patches," said Kwon in the paper, which also carried the name of his advisor, Zhendong Su, an associate professor in the school's computer science department.

Kwon's paper detailed the systemic problem in Windows applications' loading of .dlls, listed 28 programs that collectively contained over 1,700 separate bugs, and spelled out how hackers could exploit those vulnerabilities.

He also developed a tool to detect unsafe .dll loads, then ran it on several popular programs. But unlike Acros, which used its own tool to do the same, Kwon named the software that failed the test.

According to Kwon, all the major applications in Microsoft's Office 2007 suite are vulnerable, as are Internet Explorer 8 (IE8), Firefox, Chrome, Opera and Safari browsers; PDF viewers including Adobe Reader and Foxit; instant messaging clients such as Windows Live Messenger, Skype and Yahoo Messenger; and multimedia players like QuickTime, Windows Media Player and Winamp.

In many cases, the applications he tested have been superseded by newer versions that may have been patched in the interim. For example, Kwon tested Mozilla's Firefox 3.0, which has been retired in favor of Firefox 3.5 and Firefox 3.6.

Kwon did not immediately respond to a second round of questions Sunday, including when he tested the applications for the .dll loading vulnerability.

But the UC Davis researcher, who classified the vulnerabilities as "resolution failure" and "resolution hijacking" bugs, noted that the flaws are not new.

"The problem of unsafe dynamic loading had been known for a while, but it had not been considered a serious threat because its exploitation requires local file system access on the victim host," Kwon wrote. "[But] the problem has started to receive more attention due to recently discovered remote code execution attacks."

The issue appears to have been first reported a decade ago by researcher Georgi Guninski. Yet Microsoft didn't take a stab at patching it until last year.

In April 2009, Microsoft issued MS09-015 , a Windows update designed to boost the operating system's defense against such attacks. But even that fix was long in coming, complained Israeli security researcher Aviv Raff.

"Microsoft declined fixing the bug in Windows until I found a way to automatically exploit Internet Explorer via Safari," Raff said Saturday in an instant message. "They said it would be very problematic to fix the whole thing, and would break a lot of third-party Windows applications. But eventually they fixed IE and updated the OS as well by changing the .dll loading patch search order."

Raff had originally reported the IE bugs in late 2006, and repeated his warnings in 2008 after another researcher revealed a flaw in Apple's Safari browser that could be used to "carpet bomb" Windows machines with malicious desktop shortcuts.

Kwon did not speculate on how Microsoft might try to patch the problem. But others have said they believe it will be difficult or even impossible to fix Windows without crippling a large number of applications. Still, something has to be done, Kwon argued.

"Our results show that unsafe DLL loadings are prevalent, and some can lead to serious security threats," Kwon stated. "More specifically, we found more than 1,700 unsafe dynamic component loadings with the administrative privilege and 19 remotely exploitable unsafe component loadings that can easily cause remote code execution."

So far, Microsoft has only acknowledged that it is investigating Moore's reports, but has not said whether, and if so, when it might release a patch. It might need to do so quickly; Moore promised that on Monday he would release a toolkit that "audits the local system and generates PoCs," or proof-of-concept attack code.

Kwon's paper, titled "Automatic Detection of Vulnerable Dynamic Component Loadings," can be obtained from the UC Davis Web site ( download PDF ).

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftsecurityWindowssoftwareoperating systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?