Windows DLL exploits boom; hackers post attacks for 40-plus apps
Publish exploits to subvert Firefox, Chrome, Word, Photoshop, Skype, dozens more
Computerworld - Some of the world's most popular Windows programs are vulnerable to attacks that exploit a major bug in the way they load critical code libraries, according to sites tracking attack code.
Among the Windows applications that are vulnerable to exploits that many have dubbed "DLL load hijacking" are the Firefox, Chrome, Safari and Opera browsers; Microsoft's Word 2007; Adobe's Photoshop; Skype; and the uTorrent BitTorrent client.
"Fast and furious, incredibly fast," said Andrew Storms, director of security operations for nCircle Security, referring to the pace of postings of exploits that target the vulnerability in Windows software. Called "DLL load hijacking" by some, the exploits are dubbed "binary planting" by others.
On Monday, Microsoft confirmed reports of unpatched vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. The flaws stem from the way many Windows applications call code libraries -- dubbed "dynamic-link library," or "DLL" -- that give hackers wiggle room they can exploit by tricking an application into loading a malicious file with the same name as a required DLL.
If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack a PC and plant malware on it.
Even before Microsoft described the problem, published its protective tool, and said it could not address the wide-ranging issue by patching Windows without crippling countless program, researcher HD Moore posted tools to find vulnerable applications and generate proof-of-concept code.
The majority of the exploits published in the last 48 hours have been generated by Moore's auditing tool and the generic exploit module added to the open-source Metasploit penetration testing toolkit.
Several sites have taken to tracking the applications that people have found vulnerable, including an informal list kept by Peter Van Eeckhoutte, a Belgium IT manager, and a longer one of published proof-of-concept exploits maintained by Offensive Security, an online security training company.
Among the 40 exploits listed by Offensive were ones for several Adobe products, including InDesign, Illustrator and Photoshop; a number of Microsoft-made programs, including a pair that were revealed yesterday by Slovenian security firm Acros; and other popular applications, such as Foxit Reader, uTorrent and Wireshark.
As of 3 p.m. ET, more than 30 exploits had been posted on Wednesday alone.
The flood will likely continue: Yesterday, Moore updated his DLLHijackAuditKit to version 2, making it easier to use and quicker at identifying buggy programs.
"I don't recall seeing a list like that so quickly," said Marc Fossi, director of Symantec's security response team. "But at the same time I'm not surprised."
Fossi compared it to an earlier disclosure of a broad class of vulnerabilities that more than 10 years ago led to a large number of exploits in a short span of time. "It's like when format string errors were first discovered and you had all these apps being found that were vulnerable," Fossi said.
Format string vulnerabilities were long thought to be harmless, but in the late 1990s, researchers figured out how to exploit them to execute malware.
Moore had a different analogy in mind.
"The most recent example I can think of is the AxMan tool I released in 2006," said Moore in an e-mail reply to questions. "It resulted in hundreds of new ActiveX bugs and used a similar model of leveraging the security community at large to identify vulnerable applications."
AxMan was a Web-based fuzzing tool designed to find flaws in ActiveX controls, the widely-used and often-buggy add-on technology for Microsoft's Internet Explorer.
Moore believes that the rush of exploits will be a good thing in the end. "Overall, [AxMan] worked [and] ActiveX exploits sharply declined a few months after the tool's release and software vendors had an easy way to make sure they didn't repeat common mistakes," Moore said, referring to four years ago. "My hope is that having a quality assessment tool available for the DLL issue will lead to this being a non-issue in a few months."
Some developers, such as Wireshark and BitTorrent -- the latter maintains the uTorrent client -- have said they have fixes in the wings, and will update their software within days.
Microsoft, on the other hand, has declined to name vulnerable applications, even though researchers filed bug reports five months ago.
"Microsoft is analyzing its own applications to identify any that are affected by this new remote vector for DLL preloading attacks," Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC), said in an e-mail Tuesday. "We will take appropriate actions to protect customers, which may include releasing security advisories with mitigations and workarounds and security updates to address the issue."
Until patches are available, Microsoft has urged users to download the free tool that blocks locks DLLs from loading from remote directories, USB drives, Web sites and an organization's network.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts