August 24th, 2010, 21:56 PM
Windows DLL load hijacking exploits go wild
Less than 24 hours after Microsoft said it couldn't patch Windows to fix a systemic problem, attack code appeared Tuesday to exploit the company's software.
Also on Tuesday, a security firm that's been researching the issue for the past nine months said 41 of Microsoft's own programs can be remotely exploited using DLL load hijacking, and it named two of them.
On Monday, Microsoft confirmed reports of unpatched -- or zero-day -- vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. At the same time, the company said it would not patch Windows because doing so would cripple existing applications.
Microsoft also declined to reveal whether any of its own applications contain bugs that attackers could exploit, saying only that it is investigating.
Many Windows applications don't call code libraries -- dubbed "dynamic-link library," or "DLL" -- using the full path name, but instead use only the file name, giving hackers wiggle room that they can then exploit by tricking an application into loading a malicious file with the same name as a required DLL.
If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack a PC and plant malware on it.
Full story: Computerworld