Unpatched DLL bugs let hackers exploit Windows 7 and IE9, says researcher

Microsoft is investigating claims by Slovenian security firm set to demo attacks later this month

Although Microsoft has patched multiple DLL load hijacking vulnerabilities since last summer, Windows and Internet Explorer 9 (IE9) can still be exploited, a security company warned today.

Microsoft confirmed that it's investigating the claims by Slovenia-based Acros Security.

Researchers from Acros will demonstrate the new attacks at the Hack in the Box security conference in Amsterdam later this month.

"We'll reveal how IE8 and IE9 can be used on Windows 7, Vista and XP for attacking users without any security warnings, even in 'Protected mode,' and how to remotely make many seemingly-safe applications, for example, Word 2010 and PowerPoint 2010, vulnerable," said Acros CEO Mitja Kolsek in a Friday email.

The attack class called "DLL load hijacking" by some, but dubbed "binary planting" by Acros, jumped into public view last August when HD Moore, the creator of the Metasploit penetration hacking toolkit and chief security officer at Rapid7, found dozens of vulnerable Windows applications. Moore's report was followed by others, including several from Kolsek and Acros.

Many Windows applications don't call DLLs using a full path name, but instead use only the filename, giving hackers a way to trick an application into loading a malicious file with the same title as a required DLL. If attackers can dupe users into visiting malicious Web sites or remote shared folders, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack a PC and plant malware on it.

Since Moore's original report, Microsoft has issued 13 DLL load hijacking-related updates stretching from November 2009 to last month, when it patched a pair in Office and Visual Studio as part of a massive 64-fix update.

But the Redmond, Wash. developer has not closed all the holes in its software, said Kolsek today.

In a blog post, Kolsek outlined still-available DLL load hijacking attack vectors, including one that works against any copy of Windows XP, another that can be used to compromise PCs running the newer Vista or Windows 7 operating systems, and a third that can be exploited through Internet Explorer 9 (IE9), Microsoft's eight-week-old browser.

At Hack in the Box, Kolsek intends to demonstrate exploits of DLL load hijacking bugs in Windows using malicious Word 2010 and PowerPoint 2010 documents, and against IE9.

The IE9 attack works even on Windows 7, where the browser runs in a "sandbox" of sorts, an anti-exploit technology designed to block hackers from infecting a PC. "[The attack works] against Internet Explorer 9 in protected mode on Windows 7 ... without any suspicious double-clicks or security warnings," Kolsek wrote on the Acros blog.

Moore said that the attacks Acros described are feasible.

"[Attackers could use] embedded COM controls within Office documents to load additional DLLs," Moore said in an email reply to questions. "That should be doable through both IE and standalone documents."

Yet hackers apparently haven't jumped on DLL load hijacking vulnerabilities, something other security researchers have noted before.

"These are very difficult to exploit," said Andrew Storms, director of security operations at nCircle Security, in a March interview. "Last year, it was 'Oh my gosh,' but it turned out to be not so easy to exploit these because it required users to browse to the malicious location and open the file, and the attacker to plant a [malicious] DLL and a bad file. That's quite a few steps."

Microsoft said it's looking into the vulnerabilities Acros claimed reside in Windows and IE9.

"Microsoft's research into DLL-preloading issues continues," said Pete Voss, a spokesman for the Microsoft security team, in an emailed statement. "As such, the company is currently investigating public claims of a possible DLL-related vulnerability and once we're done investigating, we will take appropriate action to help protect customers."

At one point last year, Microsoft said it patched all the DLL load hijacking bugs it knew about. "This fixes all of the [Windows] components that we're aware of," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in a December 2010 interview.

At the time, however, Bryant left the door open to more. "We're not closing that [DLL load hijacking] advisory just yet, and will continue to investigate."

That advisory, first released in late August 2010, remains active and open.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon