Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/24/2010
05:28 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Issues Advisory On New DLL Hijacking Attack

Third-party, Microsoft apps could harbor flaws that let attacker remotely run code on targeted machines

Microsoft is alerting users about a new attack against a class of vulnerabilities found in some third-party Windows applications -- and possibly Microsoft's own apps -- and has released a free tool to mitigate the threat, which lets an attacker remotely run malicious code on a victim's machine.

Researchers today already were unleashing new exploits in rapid succession, including one for PowerPoint. The exploits came in the wake of the availability of a new Metasploit module that was released late yesterday for the so-called DLL hijacking flaws.

Microsoft says it's investigating which of its own applications contain this vulnerability, which basically has to do with how applications load external DLLs in an insecure way. Secure library-loading is an issue that's been known to developers, according to Microsoft, but the new remote attack vector revealed over the past few days prompted the advisory. "The root cause of this issue has been understood by developers for some time. However, last week researchers published a remote attack vector for these issues, whereas in the past, these issues were generally considered to be local and relatively low impact," Microsoft's MSRC team blogged today.

The issue can't be fixed in Windows without "breaking expected functionality," according to the post. "Instead, it requires developers to ensure they code secure library loads. However, we're looking into ways to make it easier for developers to not make this mistake in the future."

With multiple vendors' Windows applications being affected and no official word from those vendors involved just yet, speculation was rampant over how widespread this problem could be. HD Moore, chief security officer at Rapid7 and chief architect of Metasploit, said in a blog post that at least four of Microsoft's own applications can be exploited through this attack vector, and Microsoft was fixing two of these when he contacted the company about the issue.

Andrew Storms, director of security operations at nCircle, says the vulnerability is definitely fixable. "If we consider the real-world attack vector, most people don't have to worry too much about it. There are going to be two primary attacks: WebDAV [Web-based Distributed Authoring and Versioning] and SMB, and a user has to clink on a link that takes them somewhere else," he says.

SMB, or Server Message Block, fileshares are the more likely of the two attacks, he says. "An SMB share location is not a typical URL-looking scenario. You could probably train a user about this through education:' if it doesn't look right, don't go there' kind of thing."

So far, none of the DLL hijacking exploits that have been released for the flaw are particularly dangerous, experts say. "Nobody's ruling out more interesting (and less ambiguous) implications for this class of behavior. It's certainly something that demands a closer look," says Dan Kaminsky, chief scientist at Recursive Ventures. "The behavior is interesting, bordering on uniquely so. I can't at all rule out that it allows a boundary to be violated. But none of the simple stuff people are doing now unambiguously violates an established security boundary."

Kaminsky says the flaw itself is impressive, but not "a massive bug."

But all it would take is a new form of the attack that uses a drive-by or other more effective method, and it's a new ballgame, according to nCircle's Storms.

Microsoft's new tool for the flaw, meanwhile, basically alters the way Windows opens libraries. The company also recommends that organizations filter all outbound SMB traffic at the perimeter firewall and disable the WebDAV client service on workstations to stop outbound WebDAV connections.

As for developers, Microsoft says it's a matter of ensuring that libraries load properly. "Microsoft has issued guidance to developers noting how to avoid the vulnerability by correctly using the available application programming interfaces to ensure that libraries called by their programs load correctly," said Christopher Budd, senior security response communications manager for Microsoft.

A bit of recent history on the class of vulnerabilities: last week a Slovenian security firm called Acros revealed a flaw in iTunes for Windows. If a user is enticed by an attacker to open a media file from a network share housing a malicious DLL, the attacker can then execute code remotely on the victim's machine. Metasploit's Moore also ran across the same bug among similar flaws in around 24 apps including iTunes. After hearing from Acros that they had no intention of alerting the vendors, he contacted Microsoft.

And back in 2008, researchers at the University of California-Davis presented research on this concept. Meanwhile, German researcher Thierry Zoller demonstrated in a blog post over the weekend how PhotoShop could be vulnerable to the attack. "Expect a lot of applications vulnerable to this bug," Zoller said in the post.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.