Posted on 08/24/2010 11:30:28 AM PDT by stripes1776
Computerworld - The appearance Monday of exploit code for the DLL loading issue that reportedly affects hundreds of Windows applications means hackers will probably start hammering on PCs shortly, security experts argued.
"Once it makes it into Metasploit, it doesn't take much more to execute an attack," said Andrew Storms, director of security operations for nCircle Security. "The hard part has already been done for [hackers]."
Storms was referring to the release earlier today of exploit code by HD Moore, the creator of the Metasploit open-source hacking toolkit.
Moore also issued an auditing tool that records vulnerable applications, information which can then be used to launch the exploit code that Moore crafted and added to Metasploit.
Together, the tool and exploit create an effective "point-and-shoot" attack, said Moore.
"With it in Metasploit, people will definitely be looking at these [vulnerabilities]," said Wolfgang Kandek, CTO at Qualys. "They gain a lot of visibility once in Metasploit, and I'd expect to see some kind of public exploit in the next couple of weeks."
According to reports that first appeared last week, developers, including Microsoft's, have misused a crucial function of Windows, leaving a large number of Windows programs vulnerable to attack because of the way they load components.
Many Windows programs can be exploited simply by tricking users into visiting malicious Web sites or opening malformed documents because of the way the software loads code libraries -- dubbed "dynamic-link library," or ".dll" in Windows -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for those files, they can hijack the PC.
...
(Excerpt) Read more at computerworld.com ...
Gives whole new meaning to the term: DLL Hell
It's sounds like you have a good security policy in place. But for others who don't have these restrictions in place, network administrators had better get busy.
There is no substitue for locking down the system folders
and maintaining access to them on a need to know basis.
Also it helps to run a good anti malware product, such as Kaspersky.
DLL Hell indeed. Windows is showing it's origins in stand-alone PCs that were not networked.
We used it in a middle school computer lab of about 40 Windows XP Pro PCs. The only calls we got after installing Deep Freeze were for hardware issues, not a single software or OS issue.
It also eliminated the need for antivirus, spyware, and malware programs.
http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeCorporate.aspx
That is a good security policy, but most people are not system administrators. They are just people with computers who want to get some work done or surf the Internet. They won't know how to take the appropriate precautions.
The problem is with the Windows operating system. It allows code to be loaded and run in a rather promiscuous manner. But many legitimate programs rely on this promiscuous behavior to run. If Microsoft fixes the operating system, then a lot of program will break, including some programs from Microsoft.
This is going to take months to sort out.
So if I understand right, if the hacker can get the victim to download and save a copy of a file, then the computer can be compromised because that file might be loaded by another application already on the machine.
And this is different from a trojan - how?
Sorry, but the last line of defense is ALWAYS the user, and if you can get them to download and install your application, I don’t care WHAT kind of OS or virus protection they run - you own them.
How about a FIRST line of defense, say a bounty on hackers and writers/disseminators of malware?
Maybe just an open season... Bow, muzzle-loader, center-fire, shotgun, 2x4, crowbar???
Hey, sounds good to me as long as the tags are a reasonable price! :)
It has to do with the way that Windows loads .dll files. These files are executable code that the operating system loads dynamically and runs. There is a search order that the operating system uses to load these files. Every running application has the concept of a working directory or current directory (folder). Windows has a search order that it uses to find .dll files. By default the Windows operating system looks first in the same folder as the data file that has just been loaded. Then it looks in system folders. All the malicious hacker has to do is place a malicious .dll file in the same folder that you are downloading data from on a network, and the user's machine is now owned by the malicious hacker.
You can change the search order so that Windows looks in the system folders first and last in the working directory that the data came from. But if the name of the .dll is unique, windows will still find the file and load it. The user's system is still compromised.
And this is different from a trojan - how?
Sorry, but the last line of defense is ALWAYS the user, and if you can get them to download and install your application, I don’t care WHAT kind of OS or virus protection they run - you own them.
The user does not have to download and install an application. The application is already installed. The installed applications use .dll files. These .dll files will download automatically and run as part of the application. All the malicious hacker has to do is put a malicious .dll file in the same folder as the data you are looking at in an application. There is nothing to install.
The developer has to do some really stupid programming in order for this to work. Normally programs look for DLLs in their own program folder, a known shared DLL folder, or in the system32 folder. Normally browsers can be made to save on the desktop, my documents, or a download folder. The guy was able to exploit IE on this because IE actually looked in the desktop for DLL files. Huh? Some developer at Microsoft needs to be slapped, same for the developers of any of these other apps who did similiar things.
Well, that practice was not a problem back in the days when a Windows PC was a stand-alone machine without a connection to a network. But that is precisely the problem today when most computers are connected to a network. Even Microsoft still has applications that look in the current directory for .dll files. An operating system should not let a programmer do that in the first place.
Microsoft could patch Windows so that it will not look in the current directory. But then a lot of programs that depend on this feature will break. So, in the meantime, developers and vendors will have to rewrite their applications. At some point in the future, probably a few years from now, Microsoft will have to break backward compatibility.
This is a MAJOR flaw. I mean, it’s below OS level error, it’s systemic. Every program calls and looks for dll’s. And it seems their is no “special” place for them, you can look on your desktop!
WOW!
So much for the late great Windows 7....
Yes, this is a major security hole. It will keep network administrators very busy locking down their networks.
Unfortunately, the every day home user is not a network or system administrator. An operating system should not even allow this sort of behavior.
I haven’t been able to find out if this is an OLD flaw that was just exploited or if this is something NEW in the way they designed Windows 7. Seems the media is not making this very clear. I don’t run windows 7. I have a bootcamp image of XP Pro SP3.
This is an old flaw that has risen its head again. Microsoft has changed the order of the search path for .dll files with the latest SPs. Windows will then search system folders first and then the current directory last. But if the name of the .dll is unique, it will still be found in the current directory, loaded, and executed as part of the application.
WOW....
I mean most of the hacks I use just replace the actual DLL written for the App, but this is like “Hey whats’s this DLL doing here? Oh well, I’m a dumb OS, I will just load it and see what it tells me to do”.
EEEEK
There’s a special place for them, System32. It also looks in the same folder the exe was run from, which could be the desktop. This has been how Windows works since day 1, somebody just finally figured out you could stick evil dlls in the search path.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.