Microsoft releases tool to block DLL load hijacking attacks
But stays mum on whether any of its own apps are vulnerable
Computerworld - Microsoft on Monday responded to reports of potential zero-day attacks against a large number of Windows programs by publishing a tool it said would block known exploits.
However, the company declined to confirm whether any of its own applications are vulnerable, saying that it is currently investigating Microsoft-made software.
Monday's security advisory was its first public reaction to a wave of reports from researchers that developers have left a large number of Windows programs open to attack.
Many Windows applications don't call code libraries -- dubbed "dynamic-link library," or "DLL" -- using the full pathname, but instead use only the filename, giving hackers wiggle room. Criminals can exploit that by tricking the application into loading a malicious file with the same name as the required DLL. The result: Hackers can hijack the PC and plant malware on the machine.
HD Moore, chief security officer at Rapid7 and the creator of the Metasploit penetration testing toolkit, was the first to reveal the potential attacks when he announced last week that he'd found 40 vulnerable Windows applications. Moore was followed by other researchers who claimed different numbers of at-risk programs, ranging from over 200 to fewer than 30.
Microsoft went to lengths today to tell users that the flaw isn't in Windows.
"We're not talking about a vulnerability in a Microsoft product," said Christopher Budd, a senior communications manager with the company's MSRC, or Microsoft Security Response Center. "This is an attack vector that tricks an application into loading an untrusted library."
Because application developers, not Windows, are to blame, Microsoft can't patch the operating system without crippling an unknown number of programs that run on the platform. Instead, Microsoft and third-party developers must sniff out which of their programs are vulnerable, then patch each separately.
To ward off attacks until then, Microsoft has, as expected, released a tool that blocks the loading of DLLs from remote directories, such as those on USB drives, Web sites and an organization's network, all possible vectors.
"The tool restricts the loading of remote libraries on a per app [basis] or in a blanket implementation," said Budd. The tool can be downloaded using Windows version-specific links in a just-published support document.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts