Larry Seltzer is an independent analyst focusing on security issues and a founder of OpenGov Solutions.
In August, 2010, the Slovenian security research firm ACROS Security issued an advisory for a vulnerability in Apple's iTunes. The details in the advisory accidentally exposed a much larger story that ACROS was working on quietly: Many Windows applications -- including many famous ones and possibly your own -- are vulnerable to the same attack. Luckily you can fix the problems and I'll show you how.
"Remote Binary Planting" is a new variation on an old attack, first identified 10 years ago by Georgi Guninski. He showed how an attacker could load a malicious DLL by including it in the same directory as a data file opened by the user through the Windows shell. At the time, the problem was that when Windows searched for a DLL to load, the current directory was high in the search order. When you load a data file in the shell, Windows sets the file's directory as the current directory when loading the file, so all you had to do was to name your DLL and the calls exported from it the same as the one expected by the application.
Here's how it works: The attacker places an enticing data file in a folder on a network share or web folder. Probably through a social networking attack ("Open mlb.xls to see pennant race analysis") he induces a user to open the file. In the same directory as the file is a DLL with the same name as one needed by the application to open the file, and exporting a function expected by the application. With a vulnerable application, Windows will look for the DLL in the current directory -- the one containing the data file -- before finding the real one, and therefore will load it and run the malicious code.
In response to this issue, Microsoft changed the DLL search order, created the SetDllDirectory function and issued guidance about proper loading of DLLs. It turns out that this advice is widely ignored, even within Microsoft.
ACROS's innovation in this attack was to show how to exploit it on a network share or remotely over the Internet on a WebDAV share. This raises the credibility of the attack scenario a great deal. Indeed, if an attacker gains access to a network, getting users to load data files from a network share within it should be relatively easy. This would be a great tool for an attacker perpetrating a targeted attack against your organization, where they have some knowledge of you already. All they need is the credentials of a relatively unprivileged user.