October 28th, 2010, 20:58 PM
Microsoft Windows Still Vulnerable To DLL Hijacking
Even patched Windows applications remain vulnerable to dynamic link library (DLL) hijacking -- aka DLL planting and DLL loading -- attacks due to the erratic way in which Windows attempts to load DLLs.
That warning comes from a security advisory released on Wednesday by ACROS Security.
How can attackers take advantage of the DLL vulnerability? According to Microsoft: "When an application dynamically loads a dynamic link library (DLL) without specifying a fully qualified path name, Windows tries to locate the DLL by searching a well-defined set of directories. If an attacker gains control of one of the directories, they can force the application to load a malicious copy of the DLL instead of the DLL that it was expecting." As a result, attackers can execute arbitrary code using the current user's access level.
To help developers code applications that avoid this DLL-hijacking vulnerability, Microsoft had released SetDllDirectory. This function allows developers to eliminate the current working directory from Windows DLL searches, to frustrate attackers who might otherwise use that directory to hide malicious DLL files.
But developers can't rely on SetDllDirectory, because it behaves erratically, at least on Windows XP Professional 32 bit, Windows Vista Business 32 and 64 bit, and Windows 7 Professional 32 bit, said Mitja Kolsek, CEO of Acros Security.
Full story: InformationWeek