Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/24/2010
05:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Issues Advisory On New DLL Hijacking Attack

Third-party, Microsoft apps could harbor flaws that let attacker remotely run code on targeted machines

Microsoft is alerting users about a new attack against a class of vulnerabilities found in some third-party Windows applications -- and possibly Microsoft's own apps -- and has released a free tool to mitigate the threat, which lets an attacker remotely run malicious code on a victim's machine.

Researchers today already were unleashing new exploits in rapid succession, including one for PowerPoint. The exploits came in the wake of the availability of a new Metasploit module that was released late yesterday for the so-called DLL hijacking flaws.

Microsoft says it's investigating which of its own applications contain this vulnerability, which basically has to do with how applications load external DLLs in an insecure way. Secure library-loading is an issue that's been known to developers, according to Microsoft, but the new remote attack vector revealed over the past few days prompted the advisory. "The root cause of this issue has been understood by developers for some time. However, last week researchers published a remote attack vector for these issues, whereas in the past, these issues were generally considered to be local and relatively low impact," Microsoft's MSRC team blogged today.

The issue can't be fixed in Windows without "breaking expected functionality," according to the post. "Instead, it requires developers to ensure they code secure library loads. However, we're looking into ways to make it easier for developers to not make this mistake in the future."

With multiple vendors' Windows applications being affected and no official word from those vendors involved just yet, speculation was rampant over how widespread this problem could be. HD Moore, chief security officer at Rapid7 and chief architect of Metasploit, said in a blog post that at least four of Microsoft's own applications can be exploited through this attack vector, and Microsoft was fixing two of these when he contacted the company about the issue.

Andrew Storms, director of security operations at nCircle, says the vulnerability is definitely fixable. "If we consider the real-world attack vector, most people don't have to worry too much about it. There are going to be two primary attacks: WebDAV [Web-based Distributed Authoring and Versioning] and SMB, and a user has to clink on a link that takes them somewhere else," he says.

SMB, or Server Message Block, fileshares are the more likely of the two attacks, he says. "An SMB share location is not a typical URL-looking scenario. You could probably train a user about this through education:' if it doesn't look right, don't go there' kind of thing."

So far, none of the DLL hijacking exploits that have been released for the flaw are particularly dangerous, experts say. "Nobody's ruling out more interesting (and less ambiguous) implications for this class of behavior. It's certainly something that demands a closer look," says Dan Kaminsky, chief scientist at Recursive Ventures. "The behavior is interesting, bordering on uniquely so. I can't at all rule out that it allows a boundary to be violated. But none of the simple stuff people are doing now unambiguously violates an established security boundary."

Kaminsky says the flaw itself is impressive, but not "a massive bug."

But all it would take is a new form of the attack that uses a drive-by or other more effective method, and it's a new ballgame, according to nCircle's Storms.

Microsoft's new tool for the flaw, meanwhile, basically alters the way Windows opens libraries. The company also recommends that organizations filter all outbound SMB traffic at the perimeter firewall and disable the WebDAV client service on workstations to stop outbound WebDAV connections.

As for developers, Microsoft says it's a matter of ensuring that libraries load properly. "Microsoft has issued guidance to developers noting how to avoid the vulnerability by correctly using the available application programming interfaces to ensure that libraries called by their programs load correctly," said Christopher Budd, senior security response communications manager for Microsoft.

A bit of recent history on the class of vulnerabilities: last week a Slovenian security firm called Acros revealed a flaw in iTunes for Windows. If a user is enticed by an attacker to open a media file from a network share housing a malicious DLL, the attacker can then execute code remotely on the victim's machine. Metasploit's Moore also ran across the same bug among similar flaws in around 24 apps including iTunes. After hearing from Acros that they had no intention of alerting the vendors, he contacted Microsoft.

And back in 2008, researchers at the University of California-Davis presented research on this concept. Meanwhile, German researcher Thierry Zoller demonstrated in a blog post over the weekend how PhotoShop could be vulnerable to the attack. "Expect a lot of applications vulnerable to this bug," Zoller said in the post.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12441
PUBLISHED: 2020-08-06
Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4 due to a buffer overflow in the protocol parser of the ‘HEATRemoteService’ agent. The DoS can be triggered by sending a specially crafted network packet.
CVE-2020-13793
PUBLISHED: 2020-08-06
Unsafe storage of AD credentials in Ivanti DSM netinst 5.1 due to a static, hard-coded encryption key.
CVE-2020-16207
PUBLISHED: 2020-08-06
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Multiple heap-based buffer overflow vulnerabilities may be exploited by opening specially crafted project files that may overflow the heap, which may allow remote code execution, disclosure/modification of information, or cause the appli...
CVE-2020-16211
PUBLISHED: 2020-08-06
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. An out-of-bounds read vulnerability may be exploited by processing specially crafted project files, which may allow an attacker to read information.
CVE-2020-16213
PUBLISHED: 2020-08-06
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Processing specially crafted project files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, which may allow remote code execution, disclosure/modification of information, or ...