Microsoft still mum on programs prone to DLL hijacking attacks

Instead, it offers automated tool to simplify attack blocking setup

Microsoft on Tuesday again abstained from naming which of its Windows programs, if any, contain bugs that could lead to widespread "DLL load hijacking" attacks.

Also on Tuesday, the company published an automated tool to make it easier for users to block attacks exploiting vulnerabilities in a host of Windows applications.

The DLL load hijacking vulnerabilities exist in many Windows applications because the programs don't call code libraries -- dubbed "dynamic-link library," or "DLL" -- using the full pathname, but instead use only the filename. Criminals can exploit that by tricking the application into loading a malicious file with the same name as the required DLL. The result: Hackers can hijack the PC and plant malware on the machine.

"Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers," said Jerry Bryant, a group manager with the Microsoft Security Response Center, in a Tuesday entry on that team's blog . "This will primarily be in the form of security updates or defense-in-depth updates."

Although Microsoft again declined to call out its vulnerable software, outside researchers have identified as potential targets a number of its high-profile apps, including Word 2007, PowerPoint 2007 and 2010, Address Book and Windows Contact, and Windows Live Mail.

Other vendors' software may also be at risk, including Mozilla's Firefox, Google's Chrome, and Adobe's Photoshop.

Bryant hinted that some Microsoft software could be exploited. "Due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as Important," he said, referring to the second-highest threat ranking in the company's four-step scoring system.

Microsoft typically uses Important to describe bugs that can be exploited remotely -- via the Internet or e-mail, for example -- but which also require that the user assist the attack in some way, usually by clicking through warnings or opening a malicious file.

In another blog , Jonathan Ness, an engineer with MSRC, and Maarten Van Horenbeeck, an MSRC program manager, described how customers can deploy and use a tool the company first offered Aug. 23 .

That tool blocks the loading of DLLs from remote directories, such as those on USB drives, Web sites and an organization's network, and is aimed at enterprise IT personnel.

Not surprisingly, Microsoft acknowledged that users have asked for more help with the tool. Shortly after its release, IT professionals complained that the tool was confusing and asked colleagues for advice on how to configure it.

To simplify things, Microsoft has posted a "Fix It" tool on its support site that automatically blocks any DLLs from loading from WebDAV or SMB (Server Message Block) shares, two of the most likely attack vectors. Users must still download and install the original tool, however.

Ness and Van Horenbeeck also downplayed the threat to some extent, saying that DLL load hijacking bugs cannot be exploited via "drive-by" attacks, where a user's PC is infected as soon as he or she browses to a malicious site.

"A victim would need to browse to a malicious WebDAV server or a malicious SMB server and double-click a file in the Windows Explorer window that the malicious server displays," they said.

Microsoft has known of the issue since at least August 2009 , when researchers with the University of California Davis notified the company of their work. There's evidence, however, of reports as far back as 2000, and attacks exploiting the flaw the following year, when the Nimda worm leveraged the bug in Office 2000.

HD Moore, chief security officer at Rapid7 and the creator of the Metasploit penetration testing toolkit, was the first to reveal the potential attacks when, on Aug. 19, he said he'd found 40 vulnerable Windows applications . Moore was followed by other researchers who claimed different numbers of at-risk programs, ranging from more than 200 to fewer than 30.

Some vendors have already patched the problem in their software. Both uTorrent and Wireshark, a BitTorrent client and network protocol analyzer, respectively, have been updated to address the bug.

Others are working on a fix. "We're testing our own Firefox-specific fixes and plan to get them out to users soon," Mozilla's security team said in an e-mail reply to questions last week.

Even so, Microsoft said patches may be long in coming to some users. "We recognize that it may take quite a bit of time for all affected applications to be updated and for some, an update may not be possible," Bryant admitted.

In lieu of patches, the blocking tool is the best defense, he continued. With that in mind, Microsoft plans to make the tool available "within the next couple of weeks" for downloading and deployment using Windows Server Update Services (WSUS), Microsoft's most-used business patch management mechanism.

The company is also thinking about pushing the tool to everyone, including consumers, via Windows Update, although it would be switched off by default, said Bryant.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftoperating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?