DLL hijacking issue prompts Microsoft advisory, tool

Powered by SC Magazine
 

"A new take on an old attack vector".

Microsoft is alerting the public about a new vector that can be used to infect PCs when an application is tricked into loading a malicious library.

The software giant issued the advisory this week after recent research revealed that a class of vulnerabilities known as "DLL (dynamic-link Library) preloading" can be exploited remotely by an attacker who places a malicious library on a network share, Christopher Budd, senior security response communications manager at Microsoft, said in a blog post. In the past, the attacker needed access to the local client system to perpetrate the exploit.

"In this [new] scenario, the attacker would create a data file that the vulnerable application would open, create a malicious library that the vulnerable application would use, post both of them on a network share that the user could access, and convince the user to open the data file," Budd wrote. "At that point, the application would load the malicious library and the attacker's code would execute on the user's system."

In addition to users disabling WebDAV and blocking outbound SMB (Server Message Block) traffic at the perimeter to prevent the threat, Microsoft released a tool that prevents the loading of libraries from network shares.

Andrew Storms, director of security operations at nCircle, a vulnerability management firm, called the threat a "new take on an old attack vector."

"Programs that are trying to load libraries may try to do so from an arbitrary directory, not a specific one," he told SCMagazineUS.com. "It's going to load the malware library as opposed to the library from Windows."

HD Moore, chief security officer of Rapid7, was among the first researchers to discover the issue, which he called DLL hijacking. Over the weekend, he posted exploit code as part of his open-source Metasploit hacking toolkit.

He said last week that 40 different Windows applications are susceptible to the attack. Now that the exploit is out, more and more researchers have claimed to discover vulnerable applications, including Windows Live Mail and PowerPoint.

"This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker," Moore wrote in a blog post. "This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless. [T]he flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory."

Microsoft did not say whether any of its programs are vulnerable.

"We are currently conducting a thorough investigation into how this new vector may affect Microsoft products," Budd wrote. "As always, if we find this issue affects any of our products, we will address them appropriately."

Storms said organisations should play close attention to the issue — particularly whether any Microsoft products are vulnerable — and take the necessary mitigation steps, including educating users. However, they also should understand that a successful exploit is difficult to accomplish.

"It's not as easy as a click-a-link-and-be-owned kind of thing," he said. "Two steps of user interaction [are required]."

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


DLL hijacking issue prompts Microsoft advisory, tool
 
 
 
Top Stories
Australia's digital crescendo
Barely unpacked from his move from Amsterdam, Southern Cross Austereo's new digital boss Vijay Solanki is looking for Australia's untapped potential.
 
Turnbull nabs UK govt digital guru as DTO chief
Inaugural CEO to lead change agenda.
 
NBN to offer TV connections through fibre for greenfields
Ditching aerials to come at a cost.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Xerocon is heading to Melbourne!
Jul 1, 2015
We're not saying Xero is our FAVOURITE or anything, but Xero's 2015 Xerocon conference is being ...
New Microsoft Office apps for Android phones
Jun 26, 2015
Microsoft's latest Office apps for Android now work on phones as well as tablets, further ...
Windows 10 UK price revealed, but don't believe everything you hear
Jun 26, 2015
Windows 10 £99 price tag for users in the UK (who presumably don't already have Win 7 Pro ...
Now Xero notifies iOS users of new transactions
Jun 24, 2015
The latest version of Xero's iPhone app includes notifications when new transactions arrive from ...
Your Essential Cloud Toolbox
Jun 22, 2015
When BIT interviewed Receipt Bank country manager Sophie Hossack, we asked for her thoughts on ...
Latest Comments
Polls
Is site blocking effective in stopping piracy?


   |   View results
Yes
  2%
 
No
  86%
 
Somewhat
  12%
TOTAL VOTES: 749

Vote