VNetPros Twitter Updates
Microsoft DLL Hijacking Exploit in Action
The DLL load hijacking vulnerabilities exist in many Windows applications because the programs don’t call code libraries—dubbed “dynamic-link library,” or “DLL”—using the full pathname, but instead use only the filename. Criminals can exploit that by tricking the application into loading a malicious file with the same name as the required DLL. The result: Hackers can hijack the PC and plant malware on the machine.
“Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers,” said Jerry Bryant, a group manager with the Microsoft Security Response Center, in a Tuesday entry on that team’s blog. “This will primarily be in the form of security updates or defense-in-depth updates.”
Although Microsoft again declined to call out its vulnerable software, outside researchers have identified as potential targets a number of its high-profile apps, including Word 2007, PowerPoint 2007 and 2010, Address Book and Windows Contact, and Windows Live Mail.
Other vendors’ software may also be at risk, including Mozilla’s Firefox, Google’s Chrome, and Adobe’s Photoshop.
Microsoft has known of the issue since at least August 2009, when researchers with the University of California Davis notified the company of their work. There’s evidence, however, of reports as far back as 2000, and attacks exploiting the flaw the following year, when the Nimda worm leveraged the bug in Office 2000.
HD Moore, chief security officer at Rapid7 and the creator of the Metasploit penetration testing toolkit, was the first to reveal the potential attacks when, on Aug. 19, he said he’d found 40 vulnerable Windows applications. Moore was followed by other researchers who claimed different numbers of at-risk programs, ranging from more than 200 to fewer than 30.
Some vendors have already patched the problem in their software. Both uTorrent and Wireshark, a BitTorrent client and network protocol analyzer, respectively, have been updated to address the bug.
Others are working on a fix. “We’re testing our own Firefox-specific fixes and plan to get them out to users soon,” Mozilla’s security team said in an e-mail reply to questions last week.
Even so, Microsoft said patches may be long in coming to some users. “We recognize that it may take quite a bit of time for all affected applications to be updated and for some, an update may not be possible,” Bryant admitted.
In lieu of patches, the blocking tool is the best defense, he continued. With that in mind, Microsoft plans to make the tool available “within the next couple of weeks” for downloading and deployment using Windows Server Update Services (WSUS), Microsoft’s most-used business patch management mechanism.
The company is also thinking about pushing the tool to everyone, including consumers, via Windows Update, although it would be switched off by default, said Bryant.