Keeping binary planting bugs out of 120 million lines of codeIn the course of the ongoing binary planting research, our company has discovered five binary planting bugs in Microsoft Office 2010: two in Word 2010, one in PowerPoint 2010 and one in Excel 2010. We notified Microsoft about the PowerPoint bug on July 20th (about 110 days ago), but subsequently this bug was also found and published by other researchers. Yesterday Microsoft released security updates for Microsoft Office 2010 (here, here) resolving this issue. They acknowledged our researcher for the find, and, not unimportantly, upgraded the severity rating to "critical" (from their original assessment of binary planting bugs as "important"). In light of our current research, where we're already able to exploit binary planting bugs with as little user assistance as visiting a web page and clicking twice in arbitrary locations, the highest severity rating is quite accurate. Microsoft didn't just fix the PowerPoint binary planting bug we reported; they also fixed two other binary planting issues we knew about in Word 2010 and Excel 2010 (although you won't find these mentioned in their bulletin). Since these are the first binary planting bugs fixed by Microsoft, they deserve a bit of attention. Let's start with some technical details: The three binary planting issues all had a common source: the library called mso.dll (installed in %ProgramFiles%\Common Files\Microsoft Shared\office14\). This library made an unsafe call to LoadLibrary("pptimpconv.dll") in PowerPoint, LoadLibrary("wdimpconv.dll") in Word and LoadLibrary("xlimpconv.dll") in Excel. These DLLs, however, did not exist on Windows computers, and were thus loaded from the current working directory. The exploitation of such bugs is simple: place an Office file alongside a malicious DLL with the right name somewhere where the user will be able to access it (e.g., DVD, USB key, local drive, local share or remote WebDAV share), and get the user to open the document. For the PowerPoint bug this was it; for Word and Excel however, the Office Protected View, if it decided to kick in, actually provided an additional layer of security as these DLLs were only loaded if the user decided to enable editing by clicking the button in the message bar.
Read more: across
Read more: across
0 comments:
Post a Comment