IE users most at risk from DLL hijacking attacks
Stuxnet worm used the attack strategy, notes researcher
Computerworld - Users of Microsoft's Internet Explorer (IE) are more vulnerable to rogue DLL attacks than people who use rival browsers such as Mozilla's Firefox or Google's Chrome, a security researcher said today.
When running on Windows XP, Internet Explorer 6 (IE6), IE7 and IE8 do not warn users when they click on a malicious link that automatically downloads a malicious dynamic link library, or DLL, to the PC, said Mitja Kolsek, the CEO of Slovenian security company Acros Security.
Called "binary planting" by Acros and "DLL load hijacking" by others, the attack technique jumped into public view last month when HD Moore, the creator of the Metasploit penetration hacking toolkit, said he'd found 40 vulnerable Windows applications. Moore was followed by other researchers, including Kolsek, who claimed different numbers of at-risk programs, ranging from more than 200 to fewer than 30.
Many Windows applications don't call DLLs using a full path name, but instead use only the filename, giving hackers wiggle room that they can then exploit by tricking an application into loading a malicious file with the same title as a required DLL. If attackers can dupe users into visiting malicious Web sites or remote shared folders, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack a PC and plant malware on it.
Binary planting or DLL hijacking attacks have been known about for at least 10 years, and Microsoft was again informed of the problem in August 2009 by researchers at the University of California Davis.
But IE users, particularly those running Windows XP, are especially susceptible, Kolsek said, pointing to testing his firm has conducted.
And that category includes a lot of online users. According to the most recent numbers from Web metric vendor Net Applications, Windows XP powered 66.7% of all Windows machines last month.
Users running IE7 or IE8 on Windows Vista or Windows 7 are safer, said Kolsek, who noted that both browsers run by default in "Protected Mode" on those operating systems. Protected Mode is Microsoft's term for a sandbox-like environment in which IE runs with restricted rights.
The problem on XP is that it automatically opens Windows Explorer, the operating system's file manager, whenever IE encounters a remote shared folder. At that point, the hackers have won, Kolsek said.
"It's not so much that IE itself is vulnerable to binary planting, but that other applications' binary planting vulnerabilities can be exploited relatively easily through IE, and in most cases without a single warning," said Kolsek.
Danish vulnerability tracker Secunia has compiled a list of 175 Windows applications that contain one or more unpatched binary planting bugs. Acros Security has identified more than 500 individual vulnerabilities.
- 5 eDiscovery Challenges Solved eDiscovery challenges continue to present themselves as data storage becomes more complex and grows the Big Data Era. Read this CommVault Solution Brief...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- PST Archiving: What is it and How is it Done? Learn more about what PST data is, the risks relating to it, and how the new PST Archiving feature in the Simpana 10...
- HP DevOps KnowledgeVault This interactive resource focuses on the evolution taking place in the world of software development, specifically the Agile development framework, and the gap... All Malware and Vulnerabilities White Papers | Webcasts
Computerworld has launched its annual search for outstanding IT leaders who align technology with business goals. Nominate a top IT executive for the 2015 Premier 100 IT Leaders awards now through July 18.