Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Windows DLL Vulnerability: Microsoft Security Flaw
Computerworld ^ | August 23, 2010 | Gregg Keizer

Posted on 08/24/2010 11:30:28 AM PDT by stripes1776

Computerworld - The appearance Monday of exploit code for the DLL loading issue that reportedly affects hundreds of Windows applications means hackers will probably start hammering on PCs shortly, security experts argued.

"Once it makes it into Metasploit, it doesn't take much more to execute an attack," said Andrew Storms, director of security operations for nCircle Security. "The hard part has already been done for [hackers]."

Storms was referring to the release earlier today of exploit code by HD Moore, the creator of the Metasploit open-source hacking toolkit.

Moore also issued an auditing tool that records vulnerable applications, information which can then be used to launch the exploit code that Moore crafted and added to Metasploit.

Together, the tool and exploit create an effective "point-and-shoot" attack, said Moore.

"With it in Metasploit, people will definitely be looking at these [vulnerabilities]," said Wolfgang Kandek, CTO at Qualys. "They gain a lot of visibility once in Metasploit, and I'd expect to see some kind of public exploit in the next couple of weeks."

According to reports that first appeared last week, developers, including Microsoft's, have misused a crucial function of Windows, leaving a large number of Windows programs vulnerable to attack because of the way they load components.

Many Windows programs can be exploited simply by tricking users into visiting malicious Web sites or opening malformed documents because of the way the software loads code libraries -- dubbed "dynamic-link library," or ".dll" in Windows -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for those files, they can hijack the PC.

...

(Excerpt) Read more at computerworld.com ...


TOPICS: Computers/Internet
KEYWORDS: dll; flaw; microsoft; security
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-8081-86 next last
This looks like a dilemma for Microsoft: fix the problem and they break a lot of programs.
1 posted on 08/24/2010 11:30:33 AM PDT by stripes1776
[ Post Reply | Private Reply | View Replies]

To: stripes1776
visiting malicious Web sites or opening malformed documents because of the way the software loads code libraries

...which is why we strictly control surfing and file downloads on our networks. Its all you can do until MS has a fix for it.

And better the exploit code is in metasploit than laying low in a black hat forum somewhere. This way at least you can test your systems for this vulnerability.
2 posted on 08/24/2010 11:37:52 AM PDT by battousai (Conservatives are racist? YES, I hate stupid white liberals.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: stripes1776

Gives whole new meaning to the term: DLL Hell


3 posted on 08/24/2010 11:47:54 AM PDT by AFreeBird
[ Post Reply | Private Reply | To 1 | View Replies]

To: battousai
...which is why we strictly control surfing and file downloads on our networks. Its all you can do until MS has a fix for it.

It's sounds like you have a good security policy in place. But for others who don't have these restrictions in place, network administrators had better get busy.

4 posted on 08/24/2010 11:51:42 AM PDT by stripes1776
[ Post Reply | Private Reply | To 2 | View Replies]

To: battousai

There is no substitue for locking down the system folders
and maintaining access to them on a need to know basis.

Also it helps to run a good anti malware product, such as Kaspersky.


5 posted on 08/24/2010 11:52:38 AM PDT by rahbert
[ Post Reply | Private Reply | To 2 | View Replies]

To: AFreeBird
Gives whole new meaning to the term: DLL Hell

DLL Hell indeed. Windows is showing it's origins in stand-alone PCs that were not networked.

6 posted on 08/24/2010 11:55:56 AM PDT by stripes1776
[ Post Reply | Private Reply | To 3 | View Replies]

To: stripes1776
Run Deep Freeze. Doesn't matter what's loaded, just reboot and you're back to normal.

We used it in a middle school computer lab of about 40 Windows XP Pro PCs. The only calls we got after installing Deep Freeze were for hardware issues, not a single software or OS issue.

It also eliminated the need for antivirus, spyware, and malware programs.

http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeCorporate.aspx

7 posted on 08/24/2010 12:04:41 PM PDT by Sergio (If a tree fell on a mime in the forest, would he make a sound?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rahbert
There is no substitue for locking down the system folders and maintaining access to them on a need to know basis.

That is a good security policy, but most people are not system administrators. They are just people with computers who want to get some work done or surf the Internet. They won't know how to take the appropriate precautions.

The problem is with the Windows operating system. It allows code to be loaded and run in a rather promiscuous manner. But many legitimate programs rely on this promiscuous behavior to run. If Microsoft fixes the operating system, then a lot of program will break, including some programs from Microsoft.

This is going to take months to sort out.

8 posted on 08/24/2010 12:11:57 PM PDT by stripes1776
[ Post Reply | Private Reply | To 5 | View Replies]

To: stripes1776

So if I understand right, if the hacker can get the victim to download and save a copy of a file, then the computer can be compromised because that file might be loaded by another application already on the machine.

And this is different from a trojan - how?

Sorry, but the last line of defense is ALWAYS the user, and if you can get them to download and install your application, I don’t care WHAT kind of OS or virus protection they run - you own them.


9 posted on 08/24/2010 1:01:41 PM PDT by PugetSoundSoldier (Indignation over the Sting of Truth is the defense of the indefensible)
[ Post Reply | Private Reply | To 1 | View Replies]

To: PugetSoundSoldier

How about a FIRST line of defense, say a bounty on hackers and writers/disseminators of malware?

Maybe just an open season... Bow, muzzle-loader, center-fire, shotgun, 2x4, crowbar???


10 posted on 08/24/2010 1:11:21 PM PDT by BwanaNdege ("There are consequences for being wrong" - Burt Rutan)
[ Post Reply | Private Reply | To 9 | View Replies]

To: BwanaNdege

Hey, sounds good to me as long as the tags are a reasonable price! :)


11 posted on 08/24/2010 1:24:27 PM PDT by PugetSoundSoldier (Indignation over the Sting of Truth is the defense of the indefensible)
[ Post Reply | Private Reply | To 10 | View Replies]

To: PugetSoundSoldier
So if I understand right, if the hacker can get the victim to download and save a copy of a file, then the computer can be compromised because that file might be loaded by another application already on the machine.

It has to do with the way that Windows loads .dll files. These files are executable code that the operating system loads dynamically and runs. There is a search order that the operating system uses to load these files. Every running application has the concept of a working directory or current directory (folder). Windows has a search order that it uses to find .dll files. By default the Windows operating system looks first in the same folder as the data file that has just been loaded. Then it looks in system folders. All the malicious hacker has to do is place a malicious .dll file in the same folder that you are downloading data from on a network, and the user's machine is now owned by the malicious hacker.

You can change the search order so that Windows looks in the system folders first and last in the working directory that the data came from. But if the name of the .dll is unique, windows will still find the file and load it. The user's system is still compromised.

And this is different from a trojan - how?
Sorry, but the last line of defense is ALWAYS the user, and if you can get them to download and install your application, I don’t care WHAT kind of OS or virus protection they run - you own them.

The user does not have to download and install an application. The application is already installed. The installed applications use .dll files. These .dll files will download automatically and run as part of the application. All the malicious hacker has to do is put a malicious .dll file in the same folder as the data you are looking at in an application. There is nothing to install.

12 posted on 08/24/2010 1:31:54 PM PDT by stripes1776
[ Post Reply | Private Reply | To 9 | View Replies]

To: stripes1776
Programs load DLLs for functionality. Some programs use the full path to the DLL, and that isn't vulnerable unless the file can't be found. Others state only the file name, and the system then searches in a pre-configured list of directories for that file to load. This exploit requires the placement of a malicious DLL somewhere in that list of directories before the real one.

The developer has to do some really stupid programming in order for this to work. Normally programs look for DLLs in their own program folder, a known shared DLL folder, or in the system32 folder. Normally browsers can be made to save on the desktop, my documents, or a download folder. The guy was able to exploit IE on this because IE actually looked in the desktop for DLL files. Huh? Some developer at Microsoft needs to be slapped, same for the developers of any of these other apps who did similiar things.

13 posted on 08/24/2010 1:52:07 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: antiRepublicrat
The guy was able to exploit IE on this because IE actually looked in the desktop for DLL files. Huh? Some developer at Microsoft needs to be slapped, same for the developers of any of these other apps who did similiar things.

Well, that practice was not a problem back in the days when a Windows PC was a stand-alone machine without a connection to a network. But that is precisely the problem today when most computers are connected to a network. Even Microsoft still has applications that look in the current directory for .dll files. An operating system should not let a programmer do that in the first place.

Microsoft could patch Windows so that it will not look in the current directory. But then a lot of programs that depend on this feature will break. So, in the meantime, developers and vendors will have to rewrite their applications. At some point in the future, probably a few years from now, Microsoft will have to break backward compatibility.

14 posted on 08/24/2010 2:02:09 PM PDT by stripes1776
[ Post Reply | Private Reply | To 13 | View Replies]

To: antiRepublicrat; stripes1776

This is a MAJOR flaw. I mean, it’s below OS level error, it’s systemic. Every program calls and looks for dll’s. And it seems their is no “special” place for them, you can look on your desktop!

WOW!

So much for the late great Windows 7....


15 posted on 08/24/2010 2:06:05 PM PDT by RachelFaith (2010 is going to be a 100 seat Tsunami - Unless the GOP Senate ruins it all...)
[ Post Reply | Private Reply | To 13 | View Replies]

To: RachelFaith
This is a MAJOR flaw. I mean, it’s below OS level error, it’s systemic. Every program calls and looks for dll’s.

Yes, this is a major security hole. It will keep network administrators very busy locking down their networks.

Unfortunately, the every day home user is not a network or system administrator. An operating system should not even allow this sort of behavior.

16 posted on 08/24/2010 2:18:07 PM PDT by stripes1776
[ Post Reply | Private Reply | To 15 | View Replies]

To: stripes1776

I haven’t been able to find out if this is an OLD flaw that was just exploited or if this is something NEW in the way they designed Windows 7. Seems the media is not making this very clear. I don’t run windows 7. I have a bootcamp image of XP Pro SP3.


17 posted on 08/24/2010 2:33:59 PM PDT by RachelFaith (2010 is going to be a 100 seat Tsunami - Unless the GOP Senate ruins it all...)
[ Post Reply | Private Reply | To 16 | View Replies]

To: RachelFaith
I haven’t been able to find out if this is an OLD flaw that was just exploited or if this is something NEW in the way they designed Windows 7. Seems the media is not making this very clear.

This is an old flaw that has risen its head again. Microsoft has changed the order of the search path for .dll files with the latest SPs. Windows will then search system folders first and then the current directory last. But if the name of the .dll is unique, it will still be found in the current directory, loaded, and executed as part of the application.

18 posted on 08/24/2010 2:47:36 PM PDT by stripes1776
[ Post Reply | Private Reply | To 17 | View Replies]

To: stripes1776

WOW....

I mean most of the hacks I use just replace the actual DLL written for the App, but this is like “Hey whats’s this DLL doing here? Oh well, I’m a dumb OS, I will just load it and see what it tells me to do”.

EEEEK


19 posted on 08/24/2010 2:51:30 PM PDT by RachelFaith (2010 is going to be a 100 seat Tsunami - Unless the GOP Senate ruins it all...)
[ Post Reply | Private Reply | To 18 | View Replies]

To: RachelFaith

There’s a special place for them, System32. It also looks in the same folder the exe was run from, which could be the desktop. This has been how Windows works since day 1, somebody just finally figured out you could stick evil dlls in the search path.


20 posted on 08/24/2010 3:01:57 PM PDT by discostu (Keyser Soze lives)
[ Post Reply | Private Reply | To 15 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-8081-86 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson