Revisiting the Safari Vulnerability on Windows
A little over a week ago, I wrote about a security advisory from Microsoft warning that Apple's Safari Web browser for Windows introduces new vulnerabilities. Specifically, Microsoft said it allows automatic downloading of files to the Windows desktop, files that in some cases could be run without the user's knowledge.
Over the weekend, I heard from a noted security researcher who has put together a proof-of-concept exploit for this vulnerability that suggests it is more of a design flaw in Windows rather than any problem with Safari.
The code comes from an analysis by Liu Die Yu, a researcher credited with finding a number of security holes in Windows, and specifically in Internet Explorer. If you visit this test link with Safari on Windows, it should automatically download a harmless file called "schannel.dll." That file contains a short script so that the next time you start Internet Explorer it launches Notepad, the default text editor application on Windows.
While this may seem a rather tame example, the exploit code could be configured to do anything, such as steal data from the victim's machine or install nasty software. But the point is that if the operating system allows a third-party browser to write a nine-line piece of code to the desktop that will be automatically run and permitted to launch any application on Windows, that's a fairly big security hole.
Liu Die Yu told me that this exploit works on Windows XP and Vista and with any version of IE, including the latest IE 8 beta version. I was able to verify it with IE 6 and IE 7 on Windows XP, but could not get the exploit to work on Vista (Ultimate). Microsoft's advisory says Vista is equally exploitable.
As Liu Die Yu notes, this vulnerability is hardly new. Researcher Aviv Raff warned about it back in November 2006 when Microsoft was first releasing IE7. Raff explained then that even the newer version of IE was vulnerable to what he called "DLL-load hijacking."
Dynamic-link library (DLL) files are widely used on Windows, as they provide a way to modularize programs so that their functionality can be updated and reused more easily. DLLs also help reduce the strain of system memory resources when several programs use the same functionality at the same time, because while each program receives its own copy of the DLL data, the applications effectively share the same DLL code.
Raff found that IE is fundamentally vulnerable to DLL-hijacking, because when it is first launched it loads several DLL files. But Windows doesn't provide terribly specific instructions on where to find those DLL files. As a result, he said, Windows will search for the DLL files on the user's machine, and it will load the first DLL that matches the filename it is seeking.
Raff noted that Windows by default looks for DLLs in the current file directory, right after Internet Explorer's directory. As most users run Internet Explorer by clicking on an IE icon on the desktop, in most cases that current file directory will be the user's desktop (Raff posted a follow-up that explains this flaw in a bit more detail; see also his latest post on this subject here.).
So why does Liu Die Yu's proof-of-concept work? Because one of the DLLs that Internet Explorer searches for when it starts up is "schannel.dll." In calling his exploit by the same name and placing it on the desktop, Liu Die Yu assures that IE need look no further for one of its core DLL files.
Worse yet, Raff notes, an attacker doesn't have to drop their poisoned DLL file on the Windows desktop for all to see: He can hide the file by setting the "hidden" file attribute in Windows. By default, Windows does not display hidden files, and most Windows users never change this option (to show hidden files in Windows, open Windows Explorer, select "Tools," "Folder Options," then "View," and change the radio button selection under "Hidden Files and Folders").
In an advisory issued last month, Microsoft said it may issue a security update to fix the vulnerability, and my sense is that the company will do just that. I hope that happens sooner rather than later, as this seems like a security vulnerability that could be exploited via any number of third-party software applications for Windows, not just Safari.
June 8, 2008; 12:35 PM ET
Categories: From the Bunker , Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: Software Update Prompts Nuclear Plant Shutdown
Next: Ransomware Encrypts Victim Files With 1,024-Bit Key
The comments to this entry are closed.