Ask the Expert

Computer hijacking: Protecting against the Microsoft DLL download flaw

How does the new Microsoft DLL load-hijacking flaw work, and how can we protect our enterprise against it and other flaws like it?

    Requires Free Membership to View

The Microsoft DLL load-hijacking flaw that enables computer hijacking was announced by ACROS Security as binary planting; H.D. Moore also added additional details he had found independently while working on the Windows LNK vulnerability. The basic problem is that Windows will load a DLL from potentially unsafe locations like the current working directory, a malicious archive file, USB drive, network share or WebDAV. This could allow an attacker to execute arbitrary code on a computer in the context of the currently logged-on user.

This functionality in Windows has been a problem for many years, and this is not the first time Microsoft has addressed this sort of flaw. The different but related problem of conflicting DLLs, seen for example with mapi32.dll, has been long-term one for Windows, going back as far as Windows NT. Windows is also not the only platform in which a malicious DLL could be used to attack a system. Unix-based systems can also be configured to load the DLL equivalents from the current working directory, but configuring the current working directory in the path is not the default on Unix, as it is in Windows, making Unix exploitation less likely.

You can protect your enterprise by using the Microsoft DLL download FixIt that disables the Windows Webclient service in order to prevent loading libraries from WebDAV and network shares, or by blocking outgoing Windows networking traffic at your firewall. You will also need to use software, such as Firefox 3.6.9 or later, that securely loads DLLs, following Microsoft's DLL-loading guidance to remove this vulnerability fully. You will need to thoroughly test this fix before deploying it, however, because many enterprises install software to the network, which requires legitimate DLLs to be loaded from network shares; deploying the fix may impact this functionality.

This was first published in September 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: