Hacking toolkit publishes DLL hijacking exploit

Attacks against vulnerable Windows apps likely within weeks

The appearance Monday of exploit code for the DLL loading issue that reportedly affects hundreds of Windows applications means hackers will probably start hammering on PCs shortly, security experts argued.

"Once it makes it into Metasploit, it doesn't take much more to execute an attack," said Andrew Storms, director of security operations for nCircle Security. "The hard part has already been done for [hackers]."

Storms was referring to the release earlier today of exploit code by HD Moore, the creator of the Metasploit open-source hacking toolkit.

Moore also issued an auditing tool that records vulnerable applications, information which can then be used to launch the exploit code that Moore crafted and added to Metasploit.

Together, the tool and exploit create an effective "point-and-shoot" attack, said Moore.

"With it in Metasploit, people will definitely be looking at these [vulnerabilities]," said Wolfgang Kandek, CTO at Qualys. "They gain a lot of visibility once in Metasploit, and I'd expect to see some kind of public exploit in the next couple of weeks."

According to reports that first appeared last week, developers, including Microsoft's, have misused a crucial function of Windows, leaving a large number of Windows programs vulnerable to attack because of the way they load components.

Many Windows programs can be exploited simply by tricking users into visiting malicious Web sites or opening malformed documents because of the way the software loads code libraries -- dubbed "dynamic-link library," or ".dll" in Windows -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for those files, they can hijack the PC.

Moore was the first to broach the subject last week when he announced he'd found 40 vulnerable Windows applications . He was quickly followed by others who claimed different numbers, ranging from over 200 to fewer than 30.

Both Moore and Kandek said that they expect Microsoft to issue an advisory later today that will include defensive workarounds but not a true patch. The latter, Kandek said today -- and Moore said last week -- isn't feasible since the vulnerabilities are in each application's code, not in Windows itself.

"They'll probably give some workarounds and advice, such as to avoid loading DLLs from a network share or WebDAV," said Kandek, referring to the technology built into Windows that allows for file sharing and collaboration on the Web. "I expect that they'll have some kind of tool that will turn off the loading of [DLLs] from WebDAV shares."

Fixes for the vulnerabilities may take months, said the experts. "This could turn into an issue like ATL," said Storms, talking about the bug in Active Template Library, a Microsoft-provided code library that had to be patched two summers ago. Then, too, developers, including Microsoft's, had to patch their programs individually.

"Like with ATL, it may take some time to see what's affected," Storms added.

One thing Storms and Moore both hoped to find out later today is which applications of its own that Microsoft would acknowledge being flawed. "The real question will be what Microsoft apps are affected, and whether they'll address the specifics," said Storms.

Moore was harsher. "Their statements have been disingenuous," he said, of the comments the company reportedly made to University of California Davis Ph.D. candidate Taeho Kwon when he contacted the firm in August 2009 about vulnerabilities he'd uncovered. "They knew then that at least some of their apps were vulnerable."

According to Moore, at least one Microsoft filetype can be exploited to hijack a PC using a DLL-loading bug.

Moore also published a detailed description of the vulnerability, which he dubbed "application DLL load hijacking," as well as some defensive measures users can take, in a Monday entry to the Rapid7 blog.

"I'd disable SMB and disable the Web client in Windows pronto," said Storms.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftsecurityWindowssoftwareoperating systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?