The flaw, publicly discussed by Metasploit's HD Moore and others, affects hundreds of Windows applications and require separate patches for each affected software.unofficial list of affected software, vendors affected includes Microsoft, Adobe, Apple, Cisco, Citrix, Google, Mozilla and Nokia.
Microsoft previously published a knowledge base article and a utility to help protect systems by disallowing unsafe DLL-loading behavior. The company followed that up with a new one-click Fix-It tool that automates the mitigation. Both tools are required for users to protect themselves.
For more official information, read this very important blog post from Microsoft's Security Research & Defense team.
To be exploited, a victim would need to browse to a malicious WebDAV server or a malicious SMB server and double-click a file in the Windows Explorer window that the malicious server displays.
Unfortunately, based on attack patterns we have seen in recent years, we believe it is no longer safe to browse to a malicious, untrusted WebDAV server in the Internet Zone and double-click on anytype of files. Attackers are clever, substituting dangerous file icons with safe, trusted file icons. They have even recently begun obfuscating the filename based on character encoding tricks (such as right-to-left character encoding). Their goal is to entice unsuspecting users into double-clicking on a malicious executable. With or without this new remote vector to the DLL Preloading issue, it’s very hard to make a trust decision given the amount of control an attacker has over the malicious WebDAV server browsing experience. We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker.
The U.S. Computer Emergency Response Team (US-CERT) is also recommending the following workarounds until fixes are released by affected vendors
- disable loading libraries from WebDAV and remote network shares
- disable the WebClient service
- block outgoing SMB traffic