RSS Alerts

Share

More services

Related Links

Related Stories

  • IT security products fail to tap Windows security features
    Security writer Brian Krebs says he has conducted a straw poll and analysis of the top IT security applications and found that large numbers of them fail to utilize the standard security features of Microsoft Windows.
  • Google, Microsoft seek new approaches to security disclosure
    The back and forth between Google and Microsoft over security vulnerability disclosure has Google calling for a 60-day time frame to patch bugs, while Microsoft has shifted its focus by unveiling what it calls a ‘coordinated vulnerability disclosure’ process.
  • Microsoft calls for responsible disclosure of security flaws
    Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability in Windows XP and Windows Server 2003.
  • Taking Down a Botnet
    This past February, Microsoft, along with industry partners and academic researchers, spearheaded an effort to take the Waledec botnet offline. Drew Amorosi provides a detailed account of just how the cooperative endeavor was able to halt – at least temporarily – the notorious spam serving network.
  • Applications under attack says Microsoft, Adobe
    Many in the security field agree that attack vectors have rapidly moved from exploiting operating system vulnerabilities to the application layer. Security specialists from Microsoft and Adobe lent their opinions as to why this is the case.

Top 5 Stories

News

DLL hijacking bug hits Microsoft Windows

25 August 2010

A large and growing list of applications appear to be vulnerable to a Dynamic-Link Library (DLL) hijacking exploit, prompting Microsoft to issue a security advisory.

According to the latest Microsoft advisory, this exploit involves a remote attack vector for a specific class of vulnerabilities that affect how applications load external libraries in Windows.

Microsoft said an attacker who completes a sucessful exploit would aquire the same rights as the logged in user and, if logged in as the administrator, would have complete control of an affected system.

The likely exploit scenario, according to Jonathan Ness and Maarten Van Horenbeeck of the Microsoft Security Response Center (MSRC), is a two-step attack where users must “open a file hosted on an attacker-controlled SMB or WebDAV share. The file itself would not necessarily be malicious or malformed”, the duo warned in an MSRC blog posting, adding “The key is that the file is loaded from a location where an attacker can also place a malicious DLL with the same name as a DLL the vulnerable application loads”.

“If a perimeter firewall prevents a system from making outbound SMB or WebDAV connections to attacker-controlled locations, this issue poses little risk”, Ness and Van Horenbeeck claimed. “An attack cannot be automatically launched through email or web browsing attack vectors; a user must choose to open a file.”

“However we recognize that users will often open trusted filetypes. We continue to recommend that all outbound SMB is filtered at the perimeter firewall.”

Indeed, the subsequent Microsoft security advisory recommends that users disable the loading of libraries from WebDAV and remote network shares.

In response to the vulnerability, Microsoft has issued tool packages for each of its supported operating systems that inhibits the loading of libraries from network shares.

Christopher Budd, senior security response communications manager with Microsoft, said this tool would allow system administrators to mitigate risks associated with the DLL vulnerability by “altering the library-loading behavior for the operating system or for specific applications”.

He also added that Microsoft has issued guidance for developers so they can avoid the vulnerability and take measures to ensure that libraries called by programs load correctly.

Dozens of popular applications are thought to be affected by the DLL bug, including web browsers Google Chrome, Mozilla Firefox, Apple Safari, and Opera, in addition to common productivity apps such as PowerPoint 2010, Microsoft Word, Adobe Dreamweaver, and Adobe Photoshop.

Security firm Vupen Security is currently tracking applications with known vulnerabilities to the DLL hijacking bug on its website.

Microsoft did not release its own initial list of vulnerable applications, only to say that the company is currently investigating applications affected by the issue and notifying developers who may also be affected, while assuring it would “take appropriate action to protect [its] customers”.

This article is featured in:
Application Security

 

Comments

callecx says:

26 August 2010
You do not _understand_. This "attack" was recently turned into "vulnerabilities" by kids, or someone who obviously has no idea. DLL hijacking has been around for years. Its more of a backdooring technique, not an exploit! It involves modifying or replacing part of the application's core DLLs. Replacing a DLL which is what all these posts on exploit-db are doing: http://www.exploit-db.com/local/ This is no different from replacing the binary itself!

Its difficult to believe something so stupid could brainwash so many people. Guess that is what happens when you have amateurs attempting to be professionals.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012