IE users most at risk from DLL hijacking attacks

Stuxnet worm used the attack strategy, notes researcher

Users of Microsoft's Internet Explorer (IE) are more vulnerable to rogue DLL attacks than people who use rival browsers such as Mozilla's Firefox or Google's Chrome, a security researcher said today.

When running on Windows XP, Internet Explorer 6 (IE6), IE7 and IE8 do not warn users when they click on a malicious link that automatically downloads a malicious dynamic link library, or DLL, to the PC, said Mitja Kolsek, the CEO of Slovenian security company Acros Security.

Called "binary planting" by Acros and "DLL load hijacking" by others, the attack technique jumped into public view last month when HD Moore, the creator of the Metasploit penetration hacking toolkit, said he'd found 40 vulnerable Windows applications. Moore was followed by other researchers, including Kolsek, who claimed different numbers of at-risk programs, ranging from more than 200 to fewer than 30.

Many Windows applications don't call DLLs using a full path name, but instead use only the filename, giving hackers wiggle room that they can then exploit by tricking an application into loading a malicious file with the same title as a required DLL. If attackers can dupe users into visiting malicious Web sites or remote shared folders, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack a PC and plant malware on it.

Binary planting or DLL hijacking attacks have been known about for at least 10 years, and Microsoft was again informed of the problem in August 2009 by researchers at the University of California Davis.

But IE users, particularly those running Windows XP, are especially susceptible, Kolsek said, pointing to testing his firm has conducted.

And that category includes a lot of online users. According to the most recent numbers from Web metric vendor Net Applications, Windows XP powered 66.7% of all Windows machines last month.

Users running IE7 or IE8 on Windows Vista or Windows 7 are safer, said Kolsek, who noted that both browsers run by default in "Protected Mode" on those operating systems. Protected Mode is Microsoft's term for a sandbox-like environment in which IE runs with restricted rights.

The problem on XP is that it automatically opens Windows Explorer, the operating system's file manager, whenever IE encounters a remote shared folder. At that point, the hackers have won, Kolsek said.

"It's not so much that IE itself is vulnerable to binary planting, but that other applications' binary planting vulnerabilities can be exploited relatively easily through IE, and in most cases without a single warning," said Kolsek.

Danish vulnerability tracker Secunia has compiled a list of 175 Windows applications that contain one or more unpatched binary planting bugs. Acros Security has identified more than 500 individual vulnerabilities.

Because rival browsers don't automatically call up Windows Explorer, their users aren't vulnerable to such one-click binary planting attacks. "Chrome and Firefox, for example, don't launch Windows Explorer," said Kolsek. Nor do Apple's Safari or Opera Software's Opera browser.

Binary planting attacks have been making the rounds on the Web, and even the high-profile Stuxnet worm -- which has infected large numbers of PCs in Iran, including some at its nuclear facilities -- has used the technique to infect Siemens industrial control software, said Kolsek, citing details that Symantec spelled out earlier this week .

Microsoft has said it can't craft a patch for Windows to fix the binary planting problem, but that developers must instead fix their own applications. The company has issued a tool to block attacks originating from remote shared folders, but has not pushed it to all users.

Nor has Microsoft disclosed which of its own applications contain binary planting bugs.

However, today Kolsek said that IE7 and IE8 each contain a pair of binary planting bugs that could let attackers hijack Windows PCs. Acros Security has reported the IE vulnerabilities to Microsoft.

"These require more user interaction and are thus harder to exploit," Kolsek admitted. "[But] we would still use these in penetration tests, and I'm sure with a decent success rate."

Apple, Mozilla and Opera have already patched similar bugs in their browsers. Google has not patched Chrome's binary planting bug, however.

Some of those browsers are vulnerable to binary planting attacks based on other techniques, such as tricking the user into downloading a malicious DLL -- something that Israeli researcher Aviv Raff demonstrated last month using Chrome -- or by convincing a Safari user to open a Web link embedded in an e-mail.

The lack of patching progress by application developers, Microsoft included, had Kolsek down in the dumps Wednesday.

"It's pretty discouraging," he said, reflecting on the small number of applications that have been fixed in the last month. "Most vendors are completely ignoring this. Meanwhile, we're sitting on a pile of undisclosed vulnerabilities."

Kolsek urged Microsoft and others to get cracking. "Maybe Microsoft will decide that the Band-Aid it applied is enough, and won't do anything more," he said, referring to the tool the company has issued. "But binary planting is just a candy store for malware writers. We can't just let this go by and forget about it."

Microsoft did not reply to a request for comment on Kolsek's claims that IE7 and IE8 contain unpatched binary planting vulnerabilities.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingapplicationsMicrosoftsecurityWindowsbrowserssoftwareMalware and Vulnerabilitiesoperating systemsmozillaGoogle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?