Microsoft Issues Advisory On New DLL Hijacking Attack

Microsoft is alerting users about a new attack against a class of vulnerabilities found in some third-party Windows applications -- and possibly Microsoft's own apps -- and has released a free tool to mitigate the threat, which lets an attacker remotely run malicious code on a victim's machine.

Researchers today already were unleashing new exploits in rapid succession, including one for PowerPoint. The exploits came in the wake of the availability of a new Metasploit module that was released late yesterday for the so-called DLL hijacking flaws.

Microsoft says it's investigating which of its own applications contain this vulnerability, which basically has to do with how applications load external DLLs in an insecure way. Secure library-loading is an issue that's been known to developers, according to Microsoft, but the new remote attack vector revealed over the past few days prompted the advisory. "The root cause of this issue has been understood by developers for some time. However, last week researchers published a remote attack vector for these issues, whereas in the past, these issues were generally considered to be local and relatively low impact," Microsoft's MSRC team blogged today.

The issue can't be fixed in Windows without "breaking expected functionality," according to the post. "Instead, it requires developers to ensure they code secure library loads. However, we're looking into ways to make it easier for developers to not make this mistake in the future."

With multiple vendors' Windows applications being affected and no official word from those vendors involved just yet, speculation was rampant over how widespread this problem could be. HD Moore, chief security officer at Rapid7 and chief architect of Metasploit, said in a blog post that at least four of Microsoft's own applications can be exploited through this attack vector, and Microsoft was fixing two of these when he contacted the company about the issue.

Andrew Storms, director of security operations at nCircle, says the vulnerability is definitely fixable. "If we consider the real-world attack vector, most people don't have to worry too much about it. There are going to be two primary attacks: WebDAV [Web-based Distributed Authoring and Versioning] and SMB, and a user has to clink on a link that takes them somewhere else," he says.

SMB, or Server Message Block, fileshares are the more likely of the two attacks, he says. "An SMB share location is not a typical URL-looking scenario. You could probably train a user about this through education:' if it doesn't look right, don't go there' kind of thing."

So far, none of the DLL hijacking exploits that have been released for the flaw are particularly dangerous, experts say. "Nobody's ruling out more interesting (and less ambiguous) implications for this class of behavior. It's certainly something that demands a closer look," says Dan Kaminsky, chief scientist at Recursive Ventures. "The behavior is interesting, bordering on uniquely so. I can't at all rule out that it allows a boundary to be violated. But none of the simple stuff people are doing now unambiguously violates an established security boundary."

Kaminsky says the flaw itself is impressive, but not "a massive bug."

But all it would take is a new form of the attack that uses a drive-by or other more effective method, and it's a new ballgame, according to nCircle's Storms.

Microsoft's new tool for the flaw, meanwhile, basically alters the way Windows opens libraries. The company also recommends that organizations filter all outbound SMB traffic at the perimeter firewall and disable the WebDAV client service on workstations to stop outbound WebDAV connections.

As for developers, Microsoft says it's a matter of ensuring that libraries load properly. "Microsoft has issued guidance to developers noting how to avoid the vulnerability by correctly using the available application programming interfaces to ensure that libraries called by their programs load correctly," said Christopher Budd, senior security response communications manager for Microsoft.

A bit of recent history on the class of vulnerabilities: last week a Slovenian security firm called Acros revealed a flaw in iTunes for Windows. If a user is enticed by an attacker to open a media file from a network share housing a malicious DLL, the attacker can then execute code remotely on the victim's machine. Metasploit's Moore also ran across the same bug among similar flaws in around 24 apps including iTunes. After hearing from Acros that they had no intention of alerting the vendors, he contacted Microsoft.

And back in 2008, researchers at the University of California-Davis presented research on this concept. Meanwhile, German researcher Thierry Zoller demonstrated in a blog post over the weekend how PhotoShop could be vulnerable to the attack. "Expect a lot of applications vulnerable to this bug," Zoller said in the post.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.