Strategic Security Survey: Global Threat, Local Pain

Internet Explorer and Windows XP users are at high risk from attacks that use DLL hijacking -- aka binary planting -- techniques to remotely exploit PCs, according to studies conducted by Slovenian security company Acros Security. Furthermore, many such attacks, which have already been seen in the wild, will succeed without users even being aware of what's happening.

"Most attack scenarios don't include any security warnings," said Mitja Kolsek, CEO of Acros Security. "Users should therefore be careful when opening any hyperlinks -- not just on web pages, but also in email, documents and IM messages."

That message runs counter to some current DLL hijacking dogma. "Microsoft's Jerry Bryant, for instance, was quoted saying: 'Due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as Important,'" said Kolsek.

But other researchers have been finding that warnings and dialogs can be scarce, especially given interesting combinations of attacks -- for example, using a uTorrent DLL against Google Chrome -- or just hiding attack code on a regular USB drive, CD or DVD.

To help separate fact from fiction, said Kolsek, "We looked at some of the most popular web browsers, most popular email clients and most popular document readers, trying to use them as delivery mechanisms for binary planting attack."

As part of those tests, it found that clicking on a remote shared folder link when using IE and Windows XP -- which about 67% of all Windows users are still on -- would open the remote shared folder without warning, enabling the attack. The same was true for clicking on any remote shared folder link that arrived via email to an Outlook, Windows Mail and Windows Live Mail client.

Interestingly, however, unlike IE, "We found no way to launch Windows Explorer via a hyperlink from Firefox, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive" -- for example, if attackers email an HTML file, said Kolsek.

Also, when in "protected view" mode, Word 2010 and Excel 2010 both restrict the attack somewhat, by requiring users to first enable hyperlinks in documents.

But based on the testing by Acros Security, the DLL hijacking vulnerability risk profile now looks worse, not better. "Our own experience in penetration testing confirms binary planting to be currently one of the most efficient and reliable methods for obtaining remote access to workstations in target networks," said Kolsek.