DLL hijacking issue prompts Microsoft advisory, tool

Powered by SC Magazine
 

"A new take on an old attack vector".

Microsoft is alerting the public about a new vector that can be used to infect PCs when an application is tricked into loading a malicious library.

The software giant issued the advisory this week after recent research revealed that a class of vulnerabilities known as "DLL (dynamic-link Library) preloading" can be exploited remotely by an attacker who places a malicious library on a network share, Christopher Budd, senior security response communications manager at Microsoft, said in a blog post. In the past, the attacker needed access to the local client system to perpetrate the exploit.

"In this [new] scenario, the attacker would create a data file that the vulnerable application would open, create a malicious library that the vulnerable application would use, post both of them on a network share that the user could access, and convince the user to open the data file," Budd wrote. "At that point, the application would load the malicious library and the attacker's code would execute on the user's system."

In addition to users disabling WebDAV and blocking outbound SMB (Server Message Block) traffic at the perimeter to prevent the threat, Microsoft released a tool that prevents the loading of libraries from network shares.

Andrew Storms, director of security operations at nCircle, a vulnerability management firm, called the threat a "new take on an old attack vector."

"Programs that are trying to load libraries may try to do so from an arbitrary directory, not a specific one," he told SCMagazineUS.com. "It's going to load the malware library as opposed to the library from Windows."

HD Moore, chief security officer of Rapid7, was among the first researchers to discover the issue, which he called DLL hijacking. Over the weekend, he posted exploit code as part of his open-source Metasploit hacking toolkit.

He said last week that 40 different Windows applications are susceptible to the attack. Now that the exploit is out, more and more researchers have claimed to discover vulnerable applications, including Windows Live Mail and PowerPoint.

"This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker," Moore wrote in a blog post. "This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless. [T]he flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory."

Microsoft did not say whether any of its programs are vulnerable.

"We are currently conducting a thorough investigation into how this new vector may affect Microsoft products," Budd wrote. "As always, if we find this issue affects any of our products, we will address them appropriately."

Storms said organisations should play close attention to the issue — particularly whether any Microsoft products are vulnerable — and take the necessary mitigation steps, including educating users. However, they also should understand that a successful exploit is difficult to accomplish.

"It's not as easy as a click-a-link-and-be-owned kind of thing," he said. "Two steps of user interaction [are required]."

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


DLL hijacking issue prompts Microsoft advisory, tool
 
 
 
Top Stories
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Looking for storage? Seagate has five new small business NAS devices
Aug 22, 2014
Seagate has announced a new portfolio of Networked Attached Storage (NAS) solutions specifically ...
Run a small business in western Sydney?
Aug 15, 2014
This event might be of interest if you're looking to meet other people with a similar interest ...
Buying a tablet? Microsoft's Surface Pro 3 goes on sale this month
Aug 8, 2014
Microsoft has announced its Surface Pro 3 will go on sale in Australia on 28 August from ...
Apple's top MacBook Pro with Retina is now cheaper
Aug 1, 2014
Apple has updated its MacBook Pro range with faster processors and new pricing, including ...
Pass on carbon tax savings, warns ACCC
Jul 24, 2014
The ACCC is warning businesses that supply "regulated goods" to pass on any cost savings ...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  70%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  12%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 702

Vote