Vulnerabilities / Threats

8/24/2010
05:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Issues Advisory On New DLL Hijacking Attack

Third-party, Microsoft apps could harbor flaws that let attacker remotely run code on targeted machines

Microsoft is alerting users about a new attack against a class of vulnerabilities found in some third-party Windows applications -- and possibly Microsoft's own apps -- and has released a free tool to mitigate the threat, which lets an attacker remotely run malicious code on a victim's machine.

Researchers today already were unleashing new exploits in rapid succession, including one for PowerPoint. The exploits came in the wake of the availability of a new Metasploit module that was released late yesterday for the so-called DLL hijacking flaws.

Microsoft says it's investigating which of its own applications contain this vulnerability, which basically has to do with how applications load external DLLs in an insecure way. Secure library-loading is an issue that's been known to developers, according to Microsoft, but the new remote attack vector revealed over the past few days prompted the advisory. "The root cause of this issue has been understood by developers for some time. However, last week researchers published a remote attack vector for these issues, whereas in the past, these issues were generally considered to be local and relatively low impact," Microsoft's MSRC team blogged today.

The issue can't be fixed in Windows without "breaking expected functionality," according to the post. "Instead, it requires developers to ensure they code secure library loads. However, we're looking into ways to make it easier for developers to not make this mistake in the future."

With multiple vendors' Windows applications being affected and no official word from those vendors involved just yet, speculation was rampant over how widespread this problem could be. HD Moore, chief security officer at Rapid7 and chief architect of Metasploit, said in a blog post that at least four of Microsoft's own applications can be exploited through this attack vector, and Microsoft was fixing two of these when he contacted the company about the issue.

Andrew Storms, director of security operations at nCircle, says the vulnerability is definitely fixable. "If we consider the real-world attack vector, most people don't have to worry too much about it. There are going to be two primary attacks: WebDAV [Web-based Distributed Authoring and Versioning] and SMB, and a user has to clink on a link that takes them somewhere else," he says.

SMB, or Server Message Block, fileshares are the more likely of the two attacks, he says. "An SMB share location is not a typical URL-looking scenario. You could probably train a user about this through education:' if it doesn't look right, don't go there' kind of thing."

So far, none of the DLL hijacking exploits that have been released for the flaw are particularly dangerous, experts say. "Nobody's ruling out more interesting (and less ambiguous) implications for this class of behavior. It's certainly something that demands a closer look," says Dan Kaminsky, chief scientist at Recursive Ventures. "The behavior is interesting, bordering on uniquely so. I can't at all rule out that it allows a boundary to be violated. But none of the simple stuff people are doing now unambiguously violates an established security boundary."

Kaminsky says the flaw itself is impressive, but not "a massive bug."

But all it would take is a new form of the attack that uses a drive-by or other more effective method, and it's a new ballgame, according to nCircle's Storms.

Microsoft's new tool for the flaw, meanwhile, basically alters the way Windows opens libraries. The company also recommends that organizations filter all outbound SMB traffic at the perimeter firewall and disable the WebDAV client service on workstations to stop outbound WebDAV connections.

As for developers, Microsoft says it's a matter of ensuring that libraries load properly. "Microsoft has issued guidance to developers noting how to avoid the vulnerability by correctly using the available application programming interfaces to ensure that libraries called by their programs load correctly," said Christopher Budd, senior security response communications manager for Microsoft.

A bit of recent history on the class of vulnerabilities: last week a Slovenian security firm called Acros revealed a flaw in iTunes for Windows. If a user is enticed by an attacker to open a media file from a network share housing a malicious DLL, the attacker can then execute code remotely on the victim's machine. Metasploit's Moore also ran across the same bug among similar flaws in around 24 apps including iTunes. After hearing from Acros that they had no intention of alerting the vendors, he contacted Microsoft.

And back in 2008, researchers at the University of California-Davis presented research on this concept. Meanwhile, German researcher Thierry Zoller demonstrated in a blog post over the weekend how PhotoShop could be vulnerable to the attack. "Expect a lot of applications vulnerable to this bug," Zoller said in the post.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Cybercriminals Think Small to Earn Big
Dark Reading Staff 3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.