IE users most at risk from DLL hijacking attacks

Users of Microsoft's Internet Explorer (IE) are more vulnerable to rogue DLL attacks than people who use rival browsers such as Mozilla's Firefox or Google's Chrome, a security researcher said today.

When running on Windows XP, Internet Explorer 6 (IE6), IE7 and IE8 do not warn users when they click on a malicious link that automatically downloads a malicious dynamic link library, or DLL, to the PC, said Mitja Kolsek, the CEO of Slovenian security company Acros Security.

Called "binary planting" by Acros and "DLL load hijacking" by others, the attack technique jumped into public view last month when HD Moore, the creator of the Metasploit penetration hacking toolkit, said he'd found 40 vulnerable Windows applications. Moore was followed by other researchers, including Kolsek, who claimed different numbers of at-risk programs, ranging from more than 200 to fewer than 30.

Many Windows applications don't call DLLs using a full path name, but instead use only the filename, giving hackers wiggle room that they can then exploit by tricking an application into loading a malicious file with the same title as a required DLL. If attackers can dupe users into visiting malicious Web sites or remote shared folders, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack a PC and plant malware on it.

:story: Full story: Computerworld