Microsoft fixes critical DLL hole in Office but not XP SP3

Patch Tuesday included Microsoft's first (and only) DLL hijacking patch

This month's fairly light Patch Tuesday included a critical patch for Microsoft Office that fixed a couple of dangerous issues, including Microsoft's first and only patch for the DLL hijacking vulnerability that made big news in August. The Office patch also included a fix for a scary drive-by exploit which could infect a PC if an evil e-mail showed up in the preview box of Outlook.

Enterprise users may be pleased that Microsoft's patch for the DLL bug has arrived for Office, as several applications included in Office have been known to be vulnerable, including PowerPoint, Excel and Word. But there are other Microsoft applications including Windows XP SP3 and the new Microsoft Visual Studio 2010 that are hanging out waiting for a patch.

Microsoft has not released a list of its own Windows applications found to be affected by the DLL hole (which can't surprise anyone). But since the hole came to light about three months ago, others have created such lists. Vupen Security keeps this running list of a couple of dozen applications it knows to be affected. Those marked with a red square are considered to be rated critical. Notice that the DLL hole affects a couple of applications that are part of Windows XP SP3 (the still supported version). It has also been confirmed with older apps like Visio 2003.

In addition US-Cert has this list of affected Microsoft wares, obtained from Secunia.

I confirmed with Microsoft today that this month's Office update is the only DLL hijacking patch issued by Microsoft. Jerry Bryant, group manager for Microsoft Security, said:

"We address a DLL-preloading (“binary planting”) issue affecting Microsoft Office in MS10-087, which was released on Tuesday (11/9/2010). We continue to analyze our own applications to identify those that are affected by this remote vector. As research progresses, we will take appropriate actions to protect customers, which may include releasing security advisories with mitigations and workarounds and additional security updates to address the issue."

Many other vendor's wares identified as vulnerable were patched within days of the attack code being included in penetration testing tool Metasploit. That code has been available for a couple of months. The list of patched applications includes Mozilla Firefox, Apple Safari, uTorrent, Wireshark, many more.

At the time attack code became available, Microsoft issued a list of suggested workarounds and a tool to help IT managers identify which applications on their networks are vulnerable. (Here's a link to the story I wrote in August that gives details on what this hole is, how its discovery came about, lists of affected applications.)

The DLL hole was identified as one of the ways the Stuxnet worm propagated and activated itself, according to Symantec. However, Symantec did not name a Microsoft application as the culprit. Microsoft has systematically been patching all the vulnerabilities found to have been part of Stuxnet.

The XP SP3 apps known to be vulnerable to the DLL attack: the Address Book (wab.exe) and Windows Progman Group Converter (grpconv.exe). In addition, I've found advisories that name other Microsoft products as vulnerable including Microsoft Office Groove 2007 (e.g. "mso.dll") and Microsoft Windows Live Mail (dwmapi.dll), plus, as I already mentioned, Visual Studio 2010.

By way of background: Patch Tuesday included three security bulletins that fixed 11 holes total in Office and Microsoft's security product, Forefront Unified Access Gateway. The patch for Office MS10-087, is a five-patch update for Office XP, 2003, 2007 and 2010 on Windows, and Office for Mac 2004, 2008 and 2011. The scary drive-by bug is a hole in the RTF (rich text format) parser within Outlook.

The Internet Storm Center rated MS10-087 as critical because known attack code is available for the DLL hijacking vulnerability.

• Microsoft
• DLL
• DLL hijacking
• Microsoft security
• Patch Tuesday
• Windows XP SP3
• Zero Day Threat