Risk
9/30/2010
05:25 PM
50%
50%

IE, Windows XP Users Vulnerable To DLL Hijacking

Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users on Windows XP, according to Acros Security.

Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full photo gallery)
Internet Explorer and Windows XP users are at high risk from attacks that use DLL hijacking -- aka binary planting -- techniques to remotely exploit PCs, according to studies conducted by Slovenian security company Acros Security. Furthermore, many such attacks, which have already been seen in the wild, will succeed without users even being aware of what's happening.

"Most attack scenarios don't include any security warnings," said Mitja Kolsek, CEO of Acros Security. "Users should therefore be careful when opening any hyperlinks -- not just on web pages, but also in email, documents and IM messages."

That message runs counter to some current DLL hijacking dogma. "Microsoft's Jerry Bryant, for instance, was quoted saying: 'Due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as Important,'" said Kolsek.

But other researchers have been finding that warnings and dialogs can be scarce, especially given interesting combinations of attacks -- for example, using a uTorrent DLL against Google Chrome -- or just hiding attack code on a regular USB drive, CD or DVD.

To help separate fact from fiction, said Kolsek, "We looked at some of the most popular web browsers, most popular email clients and most popular document readers, trying to use them as delivery mechanisms for binary planting attack."

As part of those tests, it found that clicking on a remote shared folder link when using IE and Windows XP -- which about 67% of all Windows users are still on -- would open the remote shared folder without warning, enabling the attack. The same was true for clicking on any remote shared folder link that arrived via email to an Outlook, Windows Mail and Windows Live Mail client.

Interestingly, however, unlike IE, "We found no way to launch Windows Explorer via a hyperlink from Firefox, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive" -- for example, if attackers email an HTML file, said Kolsek.

Also, when in "protected view" mode, Word 2010 and Excel 2010 both restrict the attack somewhat, by requiring users to first enable hyperlinks in documents.

But based on the testing by Acros Security, the DLL hijacking vulnerability risk profile now looks worse, not better. "Our own experience in penetration testing confirms binary planting to be currently one of the most efficient and reliable methods for obtaining remote access to workstations in target networks," said Kolsek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.