Back to All Events

State of Windows Application Security: Shared Libraries 

by Chuanda Ding, Xuanwu Lab, Tencent

In recent years, applications codebase becomes increasingly complex, it is almost impossible for one developer or vendor to write an application from scratch without using third party libraries. Shared libraries such as OpenSSL are widely used in most popular applications produced by Adobe, Google, and thousands of smaller vendors. 

For example, in 2402 software versions we found using OpenSSL, none of them has upgraded to the latest version of OpenSSL, which are 1.0.1u / 1.0.2j / 1.1.0c, while over a hundred of them are affected by Heartbleed vulnerability. 

The Qt runtime, famous for its GUI framework and cross platform capabilities, is one of the most widely used shared library. Its 4.x branch occupied the majority of the version distribution. QtWebKit in Qt 4.x provides a WebKit engine with Javascript functionalities, however this project has been found to have too many security vulnerabilities and is abandoned in favor of QtWebEngine. We found that over 400 software versions are bundled with QtWebKit and could be vulnerable to attacks.