Hacking toolkit publishes DLL hijacking exploit
Attacks against vulnerable Windows apps likely within weeks
Computerworld - The appearance Monday of exploit code for the DLL loading issue that reportedly affects hundreds of Windows applications means hackers will probably start hammering on PCs shortly, security experts argued.
"Once it makes it into Metasploit, it doesn't take much more to execute an attack," said Andrew Storms, director of security operations for nCircle Security. "The hard part has already been done for [hackers]."
Storms was referring to the release earlier today of exploit code by HD Moore, the creator of the Metasploit open-source hacking toolkit.
Moore also issued an auditing tool that records vulnerable applications, information which can then be used to launch the exploit code that Moore crafted and added to Metasploit.
Together, the tool and exploit create an effective "point-and-shoot" attack, said Moore.
"With it in Metasploit, people will definitely be looking at these [vulnerabilities]," said Wolfgang Kandek, CTO at Qualys. "They gain a lot of visibility once in Metasploit, and I'd expect to see some kind of public exploit in the next couple of weeks."
According to reports that first appeared last week, developers, including Microsoft's, have misused a crucial function of Windows, leaving a large number of Windows programs vulnerable to attack because of the way they load components.
Many Windows programs can be exploited simply by tricking users into visiting malicious Web sites or opening malformed documents because of the way the software loads code libraries -- dubbed "dynamic-link library," or ".dll" in Windows -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for those files, they can hijack the PC.
Moore was the first to broach the subject last week when he announced he'd found 40 vulnerable Windows applications. He was quickly followed by others who claimed different numbers, ranging from over 200 to fewer than 30.
Both Moore and Kandek said that they expect Microsoft to issue an advisory later today that will include defensive workarounds but not a true patch. The latter, Kandek said today -- and Moore said last week -- isn't feasible since the vulnerabilities are in each application's code, not in Windows itself.
"They'll probably give some workarounds and advice, such as to avoid loading DLLs from a network share or WebDAV," said Kandek, referring to the technology built into Windows that allows for file sharing and collaboration on the Web. "I expect that they'll have some kind of tool that will turn off the loading of [DLLs] from WebDAV shares."
Fixes for the vulnerabilities may take months, said the experts. "This could turn into an issue like ATL," said Storms, talking about the bug in Active Template Library, a Microsoft-provided code library that had to be patched two summers ago. Then, too, developers, including Microsoft's, had to patch their programs individually.
"Like with ATL, it may take some time to see what's affected," Storms added.
One thing Storms and Moore both hoped to find out later today is which applications of its own that Microsoft would acknowledge being flawed. "The real question will be what Microsoft apps are affected, and whether they'll address the specifics," said Storms.
Moore was harsher. "Their statements have been disingenuous," he said, of the comments the company reportedly made to University of California Davis Ph.D. candidate Taeho Kwon when he contacted the firm in August 2009 about vulnerabilities he'd uncovered. "They knew then that at least some of their apps were vulnerable."
According to Moore, at least one Microsoft filetype can be exploited to hijack a PC using a DLL-loading bug.
Moore also published a detailed description of the vulnerability, which he dubbed "application DLL load hijacking," as well as some defensive measures users can take, in a Monday entry to the Rapid7 blog.
"I'd disable SMB and disable the Web client in Windows pronto," said Storms.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts