DLL hijacking issue prompts Microsoft advisory, tool

Powered by SC Magazine
 

"A new take on an old attack vector".

Microsoft is alerting the public about a new vector that can be used to infect PCs when an application is tricked into loading a malicious library.

The software giant issued the advisory this week after recent research revealed that a class of vulnerabilities known as "DLL (dynamic-link Library) preloading" can be exploited remotely by an attacker who places a malicious library on a network share, Christopher Budd, senior security response communications manager at Microsoft, said in a blog post. In the past, the attacker needed access to the local client system to perpetrate the exploit.

"In this [new] scenario, the attacker would create a data file that the vulnerable application would open, create a malicious library that the vulnerable application would use, post both of them on a network share that the user could access, and convince the user to open the data file," Budd wrote. "At that point, the application would load the malicious library and the attacker's code would execute on the user's system."

In addition to users disabling WebDAV and blocking outbound SMB (Server Message Block) traffic at the perimeter to prevent the threat, Microsoft released a tool that prevents the loading of libraries from network shares.

Andrew Storms, director of security operations at nCircle, a vulnerability management firm, called the threat a "new take on an old attack vector."

"Programs that are trying to load libraries may try to do so from an arbitrary directory, not a specific one," he told SCMagazineUS.com. "It's going to load the malware library as opposed to the library from Windows."

HD Moore, chief security officer of Rapid7, was among the first researchers to discover the issue, which he called DLL hijacking. Over the weekend, he posted exploit code as part of his open-source Metasploit hacking toolkit.

He said last week that 40 different Windows applications are susceptible to the attack. Now that the exploit is out, more and more researchers have claimed to discover vulnerable applications, including Windows Live Mail and PowerPoint.

"This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker," Moore wrote in a blog post. "This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless. [T]he flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory."

Microsoft did not say whether any of its programs are vulnerable.

"We are currently conducting a thorough investigation into how this new vector may affect Microsoft products," Budd wrote. "As always, if we find this issue affects any of our products, we will address them appropriately."

Storms said organisations should play close attention to the issue — particularly whether any Microsoft products are vulnerable — and take the necessary mitigation steps, including educating users. However, they also should understand that a successful exploit is difficult to accomplish.

"It's not as easy as a click-a-link-and-be-owned kind of thing," he said. "Two steps of user interaction [are required]."

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


DLL hijacking issue prompts Microsoft advisory, tool
 
 
 
Top Stories
Don’t mention digital disruption to David Whiteing
Buzzwords don’t curry favour with CBA's new CIO - it’s all just innovation to him.
 
Content, cost & constant innovation: How Foxtel plans to take on Netflix
Nell Payne inhabits the “brave new world of blue strings and networking”. Just don't ask her to put a TV screen on your microwave.
 
Westpac fires starting pistol on core banking upgrade
St George readies itself for move to Celeriti.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
New features are coming to Outlook.com
May 27, 2015
Outlook.com, thanks to its predecessor Hotmail.com, is one of the world's major webmail services ...
Windows 10 to feature integrated apps for Android and iOS
May 27, 2015
Microsoft reveals multi-platform Cortana connectivity for Windows 10. What the heck is that, and ...
Microsoft launches Office for Android preview
May 22, 2015
Microsoft has launched a preview of Office for Android smartphones. Pre-release versions of ...
Microsoft is working on an iOS email chat feature called Flow
May 22, 2015
Microsoft is working on a new chat app, but at the moment we know more about what we DON'T know, ...
Windows 10 free upgrade: Microsoft details who gets what
May 22, 2015
Microsoft was meant to be streamlining its OS with Windows 10, so why is upgrading so confusing? ...
Latest Comments
Polls
Should Optus make a bid for iiNet?

   |   View results
Yes
  43%
 
No
  57%
TOTAL VOTES: 610

Vote