Risk
9/30/2010
05:25 PM
50%
50%

IE, Windows XP Users Vulnerable To DLL Hijacking

Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users on Windows XP, according to Acros Security.

Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full photo gallery)
Internet Explorer and Windows XP users are at high risk from attacks that use DLL hijacking -- aka binary planting -- techniques to remotely exploit PCs, according to studies conducted by Slovenian security company Acros Security. Furthermore, many such attacks, which have already been seen in the wild, will succeed without users even being aware of what's happening.

"Most attack scenarios don't include any security warnings," said Mitja Kolsek, CEO of Acros Security. "Users should therefore be careful when opening any hyperlinks -- not just on web pages, but also in email, documents and IM messages."

That message runs counter to some current DLL hijacking dogma. "Microsoft's Jerry Bryant, for instance, was quoted saying: 'Due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as Important,'" said Kolsek.

But other researchers have been finding that warnings and dialogs can be scarce, especially given interesting combinations of attacks -- for example, using a uTorrent DLL against Google Chrome -- or just hiding attack code on a regular USB drive, CD or DVD.

To help separate fact from fiction, said Kolsek, "We looked at some of the most popular web browsers, most popular email clients and most popular document readers, trying to use them as delivery mechanisms for binary planting attack."

As part of those tests, it found that clicking on a remote shared folder link when using IE and Windows XP -- which about 67% of all Windows users are still on -- would open the remote shared folder without warning, enabling the attack. The same was true for clicking on any remote shared folder link that arrived via email to an Outlook, Windows Mail and Windows Live Mail client.

Interestingly, however, unlike IE, "We found no way to launch Windows Explorer via a hyperlink from Firefox, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive" -- for example, if attackers email an HTML file, said Kolsek.

Also, when in "protected view" mode, Word 2010 and Excel 2010 both restrict the attack somewhat, by requiring users to first enable hyperlinks in documents.

But based on the testing by Acros Security, the DLL hijacking vulnerability risk profile now looks worse, not better. "Our own experience in penetration testing confirms binary planting to be currently one of the most efficient and reliable methods for obtaining remote access to workstations in target networks," said Kolsek.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: nice one good
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas in a thought-provoking discussion about the evolving role of the CISO.