Windows Libraries
W2.1 Description

Windows libraries are modules that contain functions and data that can be used by other modules such as Windows applications. Windows applications typically leverage a large number of these libraries often packaged as dynamic-link library (DLL) files to carry out their functions. These libraries usually have the file extension DLL or OCX (for libraries containing ActiveX controls).

DLLs provide a way to modularize applications so that their functionality can be updated and reused easily. DLLs also help to reduce memory overhead when several applications use the same functionality at the same time. These libraries are used for many common tasks such as HTML parsing, image format decoding and protocol decoding. Local as well as remotely accessible applications use these libraries. Thus, a critical vulnerability in a library usually impacts a range of applications from Microsoft and third-party vendors that rely on that library. Often the exploitation is possible via multiple attack vectors. For instance, the flaws in image processing libraries can be exploited via Internet Explorer, Office and image viewers. In most cases, the libraries are used by all flavors of Windows operating systems, which increase the number of systems available for attacks.

During the past year, several windows libraries were reported to have critical vulnerabilities. In a number of cases, exploit codes were discovered before patches were available (zero-day).

In December 2005, a vulnerability (CVE-2005-4560) was reported in the Graphics Rendering Engine: when handling specially crafted Windows Metafile (WMF) images, it could cause arbitrary code to be executed. Several malicious exploits and malwares were discovered spreading widely over the Internet soon after the discovery. As this vulnerability can be exploited by simply viewing a malicious WMF image file (through websites or attachments), many applications were reported to be affected. Even some of the Lotus Notes versions were reported to be affected by this WMF zero-day exploit. A patch was not available until early January 2006. Details of this vulnerability and exploits can be found at: http://isc.sans.org/diary.php?storyid=993.

As vulnerabilities in Windows libraries can be exploited in multiple vectors, in many cases a remote attacker will just need to persuade a user to access a specially crafted website, image, icon, or cursor file and the attacker would be able to execute arbitrary code on that user's system, with their privileges.

The critical libraries affected during past year include:

• Vulnerability in Windows Explorer Could Allow Remote Execution MS06-057, MS06-015).
• Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (MS06-050)
• Vulnerability in HTML Help Could Allow Remote Code Execution (MS06-046)


• Vulnerability in Microsoft Windows Could Allow Remote Code Execution (MS06-043)


• Vulnerability in Graphics Rendering Engine Could Allow
  Remote Code Execution (MS06-026,
  MS06-001)


• Vulnerability in Embedded Web Fonts Could Allow Remote Code
  Execution (MS06-002)