Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/24/2010
05:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Issues Advisory On New DLL Hijacking Attack

Third-party, Microsoft apps could harbor flaws that let attacker remotely run code on targeted machines

Microsoft is alerting users about a new attack against a class of vulnerabilities found in some third-party Windows applications -- and possibly Microsoft's own apps -- and has released a free tool to mitigate the threat, which lets an attacker remotely run malicious code on a victim's machine.

Researchers today already were unleashing new exploits in rapid succession, including one for PowerPoint. The exploits came in the wake of the availability of a new Metasploit module that was released late yesterday for the so-called DLL hijacking flaws.

Microsoft says it's investigating which of its own applications contain this vulnerability, which basically has to do with how applications load external DLLs in an insecure way. Secure library-loading is an issue that's been known to developers, according to Microsoft, but the new remote attack vector revealed over the past few days prompted the advisory. "The root cause of this issue has been understood by developers for some time. However, last week researchers published a remote attack vector for these issues, whereas in the past, these issues were generally considered to be local and relatively low impact," Microsoft's MSRC team blogged today.

The issue can't be fixed in Windows without "breaking expected functionality," according to the post. "Instead, it requires developers to ensure they code secure library loads. However, we're looking into ways to make it easier for developers to not make this mistake in the future."

With multiple vendors' Windows applications being affected and no official word from those vendors involved just yet, speculation was rampant over how widespread this problem could be. HD Moore, chief security officer at Rapid7 and chief architect of Metasploit, said in a blog post that at least four of Microsoft's own applications can be exploited through this attack vector, and Microsoft was fixing two of these when he contacted the company about the issue.

Andrew Storms, director of security operations at nCircle, says the vulnerability is definitely fixable. "If we consider the real-world attack vector, most people don't have to worry too much about it. There are going to be two primary attacks: WebDAV [Web-based Distributed Authoring and Versioning] and SMB, and a user has to clink on a link that takes them somewhere else," he says.

SMB, or Server Message Block, fileshares are the more likely of the two attacks, he says. "An SMB share location is not a typical URL-looking scenario. You could probably train a user about this through education:' if it doesn't look right, don't go there' kind of thing."

So far, none of the DLL hijacking exploits that have been released for the flaw are particularly dangerous, experts say. "Nobody's ruling out more interesting (and less ambiguous) implications for this class of behavior. It's certainly something that demands a closer look," says Dan Kaminsky, chief scientist at Recursive Ventures. "The behavior is interesting, bordering on uniquely so. I can't at all rule out that it allows a boundary to be violated. But none of the simple stuff people are doing now unambiguously violates an established security boundary."

Kaminsky says the flaw itself is impressive, but not "a massive bug."

But all it would take is a new form of the attack that uses a drive-by or other more effective method, and it's a new ballgame, according to nCircle's Storms.

Microsoft's new tool for the flaw, meanwhile, basically alters the way Windows opens libraries. The company also recommends that organizations filter all outbound SMB traffic at the perimeter firewall and disable the WebDAV client service on workstations to stop outbound WebDAV connections.

As for developers, Microsoft says it's a matter of ensuring that libraries load properly. "Microsoft has issued guidance to developers noting how to avoid the vulnerability by correctly using the available application programming interfaces to ensure that libraries called by their programs load correctly," said Christopher Budd, senior security response communications manager for Microsoft.

A bit of recent history on the class of vulnerabilities: last week a Slovenian security firm called Acros revealed a flaw in iTunes for Windows. If a user is enticed by an attacker to open a media file from a network share housing a malicious DLL, the attacker can then execute code remotely on the victim's machine. Metasploit's Moore also ran across the same bug among similar flaws in around 24 apps including iTunes. After hearing from Acros that they had no intention of alerting the vendors, he contacted Microsoft.

And back in 2008, researchers at the University of California-Davis presented research on this concept. Meanwhile, German researcher Thierry Zoller demonstrated in a blog post over the weekend how PhotoShop could be vulnerable to the attack. "Expect a lot of applications vulnerable to this bug," Zoller said in the post.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.