Tuesday, November 23, 2010

The Unbearable Lightness Of Non-Fixing

A Short Study on Security Reactiveness And Proactiveness

Exactly 97 days after a new old vulnerability type called Binary Planting, DLL Hijacking, DLL Preloading and Insecure Library Loading has gained public attention, it is clear that:

  1. These bugs are ubiquitous and can be found in many widely-used as well as less known applications;
  2. Not just DLL loading, but also EXE loading is affected;
  3. Remote exploitation of these bugs is not just possible but possible in a wide variety of ways, also from Internet servers directly to internal corporate networks (Stuxnet, for instance, uses binary planting); and finally:
  4. Few vendors seem to care much about fixing these remote-execution bugs.

Let us substantiate the last claim and provide some thoughts about possible reasons for this situation.

We have two different sources of information on existing binary planting bugs and their status. The first source are published full-disclosure reports provided by many researchers. We chose Secunia's list of verified advisories as a representative sample of publicly known binary planting bugs, although many researchers worldwide are doing a great job in finding these bugs. The second source is our own private list of publicly unknown binary planting vulnerabilities, which we've built throughout our Binary Planting Research Project. We're only using a subset of the vulnerabilities we found in this project: we re-tested some of the most widely-used products and omitted bugs subsequently found by others and publicly disclosed.

These two sources are both fairly large (compared to other similar sources), both verified and both providing vulnerabilities of the same type. The only important difference between them is that one provides publicly known vulnerabilities and the other vulnerabilities unknown to the public. This gives us a unique opportunity to get a peek into the - otherwise inaccessible - world of unknown vulnerabilities.

Status of PUBLICLY KNOWN binary planting vulnerabilities

TotalUnfixedFixedPercent Fixed
DLL Planting bugs1511282315%
EXE Planting bugs81788%
DLL+EXE Planting bugs1591293019%

The above table shows the status of those binary planting vulnerabilities that have been fully disclosed to public. Note that the amount of time elapsed since their disclosure is not taken into account; however, majority of these bugs have been disclosed at least 2 months ago. We assume (i.e., hope) that most affected applications' vendors are aware of the published vulnerabilities.

Out of 159 vulnerabilities verified by Secunia, 19% have been fixed so far. Interestingly, after some web browser vendors' initial quick response (Firefox, Opera, Safari), most of the fixes were done by smaller vendors, perhaps predominantly in open-source software. In general, large vendors seem to be very slow in patching - which is often rationalized by extensive testing they need to perform, but may also be due to their business models not providing sufficient rewards for security fixing. An unfixed known vulnerability in Windows Address Book, for instance, can still be used for testing your exposure to binary planting.

Status of PUBLICLY UNKNOWN binary planting vulnerabilities

TotalUnfixedFixedPercent Fixed
DLL Planting bugs666246%
EXE Planting bugs282800%
DLL+EXE Planting bugs949044%

The above table shows the status of binary planting vulnerabilities that have not been disclosed to public; these bugs have been discovered between December 2008 and July 2010 (but only a subset is being used here). It is unknown whether the affected applications' authors are aware of these vulnerabilities or not.

Unsurprisingly, very few of the publicly unknown vulnerabilities have been fixed, and of those 4 that have been, the affected products have mostly changed their design and appearance substantially, which might have led to accidental (as opposed to intentional) fixing.


What can we conclude from this? First, the status of publicly known binary planting bugs shows that vendors are slow at fixing these bugs even though their existence is obviously accessible to their customers, and also available to those who might want to attack the said customers. In a profoundly unscientific way we could say that today's software vendors' security reactiveness runs at 19%. If we ever hope to have our increasingly critical computer systems decently secure, vendors should strive to reach a 100% rate of prompt reaction to known vulnerabilities. Fixing a remotely exploitable critical bug in a few days should then be a norm, not an exception.

Second, the status of publicly unknown binary planting bugs provides a rare insight into software vendors' proactiveness when it comes to security. Remember that binary planting vulnerabilities have been all over the media for over three months, analyzed on many blogs and discussed in length on numerous web sites and forums. It is hard to imagine that a software vendor actually proactive in security (never mind what their marketing material says) could miss all this. And a proactive vendor would at least fire up Process Monitor and take a look at how their applications load libraries and launch executables. Accounting for the likelihood that the four fixed unpublished bugs were fixed by accident, we could say that software vendors' security proactiveness, as far as binary planting bugs go, runs near zero.

Finally, there's no reason to believe that binary planting bugs are getting treated any differently from other types of vulnerabilities. Similar results would probably be obtained from any sufficiently long lists of known and unknown vulnerabilities. Assuming that software vendors are behaving rationally and optimally with respect to their business objectives, the security of tomorrow's systems will require some adjustments to their business models. Bug bounties, recently offered by Mozilla, Google and some other vendors, just might be a step in the right (i.e., proactive) direction.

Wednesday, November 10, 2010

Analysis Of The Microsoft Office 2010 Binary Planting Bugs

Keeping binary planting bugs out of 120 million lines of code

In the course of the ongoing binary planting research, our company has discovered five binary planting bugs in Microsoft Office 2010: two in Word 2010, one in PowerPoint 2010 and one in Excel 2010. We notified Microsoft about the PowerPoint bug on July 20th (about 110 days ago), but subsequently this bug was also found and published by other researchers.

Yesterday Microsoft released security updates for Microsoft Office 2010 (here, here) resolving this issue. They acknowledged our researcher for the find, and, not unimportantly, seemed to have upgraded the severity rating to "critical" (from their original assessment of binary planting bugs as "important"). In light of our current research, where we're already able to exploit binary planting bugs with as little user assistance as visiting a web page and clicking twice in arbitrary locations, the highest severity rating would be quite appropriate.

Microsoft didn't just fix the PowerPoint binary planting bug we reported; they also fixed two other binary planting issues we knew about in Word 2010 and Excel 2010 (although you won't find these mentioned in their bulletin). Since these are the first binary planting bugs fixed by Microsoft, they deserve a bit of attention. Let's start with some technical details:

The three binary planting issues all had a common source: the library called mso.dll (installed in %ProgramFiles%\Common Files\Microsoft Shared\office14\). This library made an unsafe call to LoadLibrary("pptimpconv.dll") in PowerPoint, LoadLibrary("wdimpconv.dll") in Word and LoadLibrary("xlimpconv.dll") in Excel. These DLLs, however, did not exist on Windows computers, and were thus loaded from the current working directory. The exploitation of such bugs is simple: place an Office file alongside a malicious DLL with the right name somewhere where the user will be able to access it (e.g., DVD, USB key, local drive, local share or remote WebDAV share), and get the user to open the document. For the PowerPoint bug this was it; for Word and Excel however, the Office Protected View, if it decided to kick in, actually provided an additional layer of security as these DLLs were only loaded if the user decided to enable editing by clicking the button in the message bar.

For all three bugs, it was a case of a "classic" binary planting error of a most common type: trying to load a DLL to see if it's there. Google search seems to find nothing about these DLLs outside the binary planting context, so we conclude that this was likely a case of "forward compatibility," i.e., Office applications trying to load DLLs that were planned to be placed on the computer at some point in the future.

Yesterday's security update fixes these bugs such that the non-existing libraries are not being loaded any more.

From the development perspective, one might wonder how difficult it is for a vendor to find all binary planting issues in their own code, or, better yet, to prevent them from being introduced in the first place. It seems really easy: search the entire source code for LoadLibrary calls and make sure they all provide a full path to the DLL, or that the DLLs they load are sure to be found in the application folder or one of the system folders.

But it isn't easy. The millions of lines of Office code probably contain tens of thousands of LoadLibrary calls, many of which don't use string literals for DLL names but some input passed by a calling function. Furthermore, many of these calls, even if potentially vulnerable, may not be exploitable (so it wouldn't make economic sense to invest into additional coding and testing), but it can also be very time-consuming to determine which are exploitable and which aren't. No vendor will invest a lot of effort into something that may not even be a problem.

And it's not just LoadLibrary calls: all functions/methods in all languages (including macros, VBScripts, JScripts and shell scripts) that load libraries or launch executables can be a source of binary planting bugs.

The mighty proactive SDL (secure development lifecycle) apparently doesn't help much either, or there wouldn't be so many binary planting bugs in so many products by so many vendors practicing it. Training developers in secure coding sounds nice, and it surely contributes to the security of software products, but if it fails to eliminate trivial bugs like binary planting (and buffer overflows, and cross-site scripting, and what-not-injections), perhaps it is time to rethink the priorities.

With today's complex software products, security requires more control. Much more control. Even if developed by super-trained security paranoids, applications need more external security testing, more hacking from different directions, more proactive "attacks" by people with different experiences and knowledge. All that before they get installed on users' computers, if we want to call our approach to security "proactive" in any meaningful way.

P.S.: As for the two aforementioned unfixed binary planting bugs in Office 2010 and further news on binary planting, follow our research on Twitter.