DLL hijacking issue prompts Microsoft advisory, tool

Powered by SC Magazine
 

"A new take on an old attack vector".

Microsoft is alerting the public about a new vector that can be used to infect PCs when an application is tricked into loading a malicious library.

The software giant issued the advisory this week after recent research revealed that a class of vulnerabilities known as "DLL (dynamic-link Library) preloading" can be exploited remotely by an attacker who places a malicious library on a network share, Christopher Budd, senior security response communications manager at Microsoft, said in a blog post. In the past, the attacker needed access to the local client system to perpetrate the exploit.

"In this [new] scenario, the attacker would create a data file that the vulnerable application would open, create a malicious library that the vulnerable application would use, post both of them on a network share that the user could access, and convince the user to open the data file," Budd wrote. "At that point, the application would load the malicious library and the attacker's code would execute on the user's system."

In addition to users disabling WebDAV and blocking outbound SMB (Server Message Block) traffic at the perimeter to prevent the threat, Microsoft released a tool that prevents the loading of libraries from network shares.

Andrew Storms, director of security operations at nCircle, a vulnerability management firm, called the threat a "new take on an old attack vector."

"Programs that are trying to load libraries may try to do so from an arbitrary directory, not a specific one," he told SCMagazineUS.com. "It's going to load the malware library as opposed to the library from Windows."

HD Moore, chief security officer of Rapid7, was among the first researchers to discover the issue, which he called DLL hijacking. Over the weekend, he posted exploit code as part of his open-source Metasploit hacking toolkit.

He said last week that 40 different Windows applications are susceptible to the attack. Now that the exploit is out, more and more researchers have claimed to discover vulnerable applications, including Windows Live Mail and PowerPoint.

"This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker," Moore wrote in a blog post. "This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless. [T]he flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory."

Microsoft did not say whether any of its programs are vulnerable.

"We are currently conducting a thorough investigation into how this new vector may affect Microsoft products," Budd wrote. "As always, if we find this issue affects any of our products, we will address them appropriately."

Storms said organisations should play close attention to the issue — particularly whether any Microsoft products are vulnerable — and take the necessary mitigation steps, including educating users. However, they also should understand that a successful exploit is difficult to accomplish.

"It's not as easy as a click-a-link-and-be-owned kind of thing," he said. "Two steps of user interaction [are required]."

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


DLL hijacking issue prompts Microsoft advisory, tool
 
 
 
Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Have customers that won't pay debts?
Jul 10, 2014
The ACCC and ASIC have updated their advice when it comes to collecting debts.
Carpet cleaner faces court over online testimonials
Jul 4, 2014
The ACCC has initiated proceedings against A Whistle (1979) Pty Ltd, the franchisor of Electrodry...
You can now get 15GB of free online storage using Microsoft OneDrive
Jun 25, 2014
Cloud storage has reached both the capacity and price where it's a viable alternative to local ...
Another clever trick you can perform with Xero
Jun 25, 2014
Here is another way to reach out to particular subsets of your customers using Xero.
Have a phone, tablet and laptop?
Jun 20, 2014
This new Telstra pre-paid 4G mobile hotspot might be useful if you regularly need to use fast ...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  26%
 
Application integration concerns
  3%
 
Security and compliance concerns
  29%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 840

Vote