more Quotes
Tips and Tricks

Headline

Applicable OS

Web Link

Comments

Date

Comment

Windows DLL load hijacking exploits go wild

Windows OS

Computer World link

Problems with malicious .DLL files caused from Windows application downloads

August 2010

Tips

Document No

 

Less than 24 hours after Microsoft said it couldn't patch Windows to fix a systemic problem, attack code appeared Tuesday to exploit the company's software.

Also on Tuesday, a security firm that's been researching the issue for the last nine months said 41 of Microsoft's own programs can be remotely exploited using DLL load hijacking, and named two of them.

On Monday, Microsoft confirmed reports of unpatched -- or zero-day -- vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. At the same time, the company said it would not patch Windows because doing so would cripple existing applications.

Microsoft also declined to say whether any of its own applications contain bugs that attackers could exploit, saying only that it is investigating.

Many Windows applications don't call code libraries -- dubbed "dynamic-link library," or "DLL" -- using the full pathname, but instead use only the filename, giving hackers wiggle room that they can then exploit by tricking the application into loading a malicious file with the same name as a required DLL.

If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack the PC and plant malware on the machine.

By Tuesday, at least four exploits of what some call "binary planting" attacks, others dub "DLL load hijacking" attacks, had been published to a well-known hacker site. Two of the exploits targeted Microsoft-made software, including PowerPoint 2010, the presentation maker in Office 2010, and Windows Live Mail, a free e-mail client bundled with Vista but available as a free download for Windows 7 customers.

Other exploits aimed at leveraging DLL load hijacking bugs in uTorrent and Wireshark, a BitTorrent client and network protocol analyser, respectively.

At the same time, a Slovenian security company claimed that it reported bugs in two Microsoft-made programs last March.

"We're going to publish a list of the vulnerable apps we found sometime soon," said Mitja Kolsek, the CEO of Acros Security. "However, since HD Moore's toolkit is already being used for finding vulnerable apps and at this point hundreds of good and bad guys already know about it, I can say that the two we fully-disclosed to Microsoft were in Windows Address Book/Windows Contacts and Windows Program Manager Group Converter.

HD Moore is the American researcher who kicked off a small wave of DLL load hijacking reports last week when announced he had found 40 vulnerable Windows applications . On Monday, Moore published an auditing tool that others can use to detect vulnerable software. When combined with an exploit added that same day to Metasploit, the open-source hacking toolkit that Moore authored, the tool's results produce what he called a "point-and-shoot" attack .

All four of the exploits that went public Tuesday appear to be based on Moore's Metasploit attack code.

Although the Windows Address Book -- renamed Windows Contacts with the launch of Vista in 2007 -- may be familiar to users, Program Manager Group Converter is probably not, Kolsek admitted. But both can be exploited.

"They're part of every Windows installation and are associated with certain file extensions, allowing for 'double-click-bang' remote attacks," Kolsek said. "To increase the likelihood of success, an attacker can create a shortcut with a PDF or Word document icon pointing to such files, which otherwise have different, less familiar icons."

Contrary to Kolsek's claim, Program Manager Group Converter, a holdover from pre-Windows 95 days, is included with Windows XP, but not with Vista or Windows 7.

Altogether, Acros uncovered 121 remote execution vulnerabilities in 41 different Microsoft applications, but reported details of only the pair in Address Book/Contacts and Program Manager Group Converter. The rest were left for Microsoft's own researchers to find, said Kolsek.

Like a number of other companies, notably the French firm Vupen Security, Acros has decided that it will no longer report its vulnerability discoveries to vendors without compensation. "We've been giving them away for 10 years now," said Kolsek, "and it wasn't doing anything for us."

In a long post to a new Acros blog , Kolsek added that there was no bad blood between his company and Microsoft over the former's refusal to identify 119 bugs in the latter's products. "It was a mere incompatibility of business interests," he said.

Wireshark's lead developer, Gerald Combs, said today that a fix for the DLL load hijacking bug would be released in the next few days. Microsoft and BitTorrent, the firm responsible for uTorrent, did not reply to requests for comment about their patching plans.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Helping you turn more prospects into Customers

© Copyright 2012 4UCRM.com  All rights reserved. Last Updated Tuesday, July 17, 2012
TAGS: Crm made easy, making CRM successful, How to Benefit from CRM, Continuous Improvement, CRM Success Tips, CRM Strategy, CRM Database, Integrity, CRM Effectiveness, Marketing Strategy, Campaigns ACT Software - ACT! Software Support - Australian ACT Consultants - Australian ACT Support Australian ACT! Support

4U_Logo

Helping you turn more prospects into customers

Quick links

Windows Tips & Tricks
Some Windows tips to help you become more productive.

ACT! Tips & Tricks
A range of tips for ACT! users to save you time.

Remote Support
When you have a problem we may be able to connect to your machine remotely and resolve without having to schedule an on-site visit.

Existing Clients
Our client list may be in your industry.

Updates
Find updates for your system.