Skip the navigation

Microsoft releases tool to block DLL load hijacking attacks

But stays mum on whether any of its own apps are vulnerable

August 23, 2010 08:42 PM ET

Computerworld - Microsoft on Monday responded to reports of potential zero-day attacks against a large number of Windows programs by publishing a tool it said would block known exploits.

However, the company declined to confirm whether any of its own applications are vulnerable, saying that it is currently investigating Microsoft-made software.

Monday's security advisory was its first public reaction to a wave of reports from researchers that developers have left a large number of Windows programs open to attack.

Many Windows applications don't call code libraries -- dubbed "dynamic-link library," or "DLL" -- using the full pathname, but instead use only the filename, giving hackers wiggle room. Criminals can exploit that by tricking the application into loading a malicious file with the same name as the required DLL. The result: Hackers can hijack the PC and plant malware on the machine.

HD Moore, chief security officer at Rapid7 and the creator of the Metasploit penetration testing toolkit, was the first to reveal the potential attacks when he announced last week that he'd found 40 vulnerable Windows applications. Moore was followed by other researchers who claimed different numbers of at-risk programs, ranging from over 200 to fewer than 30.

Microsoft went to lengths today to tell users that the flaw isn't in Windows.

"We're not talking about a vulnerability in a Microsoft product," said Christopher Budd, a senior communications manager with the company's MSRC, or Microsoft Security Response Center. "This is an attack vector that tricks an application into loading an untrusted library."

Because application developers, not Windows, are to blame, Microsoft can't patch the operating system without crippling an unknown number of programs that run on the platform. Instead, Microsoft and third-party developers must sniff out which of their programs are vulnerable, then patch each separately.

To ward off attacks until then, Microsoft has, as expected, released a tool that blocks the loading of DLLs from remote directories, such as those on USB drives, Web sites and an organization's network, all possible vectors.

"The tool restricts the loading of remote libraries on a per app [basis] or in a blanket implementation," said Budd. The tool can be downloaded using Windows version-specific links in a just-published support document.



Our Commenting Policies