DLL hijacking

Last August a security researcher found a way to exploit the way dynamic link libraries, in Windows systems, are loaded. More precisely the security issue is in the way these DLLs are resolved, generally by searching for its first appearance in a sequence of directories. If an attacker can put its own implementation of the very same DLL the system wants to load, in a directory searched before the “good one”, it’s game over.
This was a well known issue, as you can see in this paper, but it wasn’t thought easy to exploit. But now, suddenly, we have thousands of vulnerable applications (and an audit tool to find them): http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html.
Microsoft released a security advisory, a KB and a workaround (and even a tool called Fix-It) until all these applications are fixed. MS states that for an exploit to work, a user have to click and execute remote malicious software from an already subverted SMB or WebDAV share. But still, this could be one of the major issue the whole security world have ever seen. Even if the issue was already known, but its exploitation was only theoretical, little was done to mitigate it. As it has always seemed to me MS assumes that its users are aware of all the risks they can find using their computers on a daily basis.


This entry was posted on Saturday, October 9th, 2010 at 8:04 PM and is filed under microsoft, security.

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.