Skip Links

Hacking toolkit publishes DLL hijacking exploit

Attacks against vulnerable Windows apps likely within weeks

By Gregg Keizer, Computerworld
August 23, 2010 05:58 PM ET

Computerworld - The appearance Monday of exploit code for the DLL loading issue that reportedly affects hundreds of Windows applications means hackers will probably start hammering on PCs shortly, security experts argued.

"Once it makes it into Metasploit, it doesn't take much more to execute an attack," said Andrew Storms, director of security operations for nCircle Security. "The hard part has already been done for [hackers]."

Storms was referring to the release earlier today of exploit code by HD Moore, the creator of the Metasploit open-source hacking toolkit.

Moore also issued an auditing tool that records vulnerable applications, information which can then be used to launch the exploit code that Moore crafted and added to Metasploit.

Together, the tool and exploit create an effective "point-and-shoot" attack, said Moore.

"With it in Metasploit, people will definitely be looking at these [vulnerabilities]," said Wolfgang Kandek, CTO at Qualys. "They gain a lot of visibility once in Metasploit, and I'd expect to see some kind of public exploit in the next couple of weeks."

According to reports that first appeared last week, developers, including Microsoft's, have misused a crucial function of Windows, leaving a large number of Windows programs vulnerable to attack because of the way they load components.

Many Windows programs can be exploited simply by tricking users into visiting malicious Web sites or opening malformed documents because of the way the software loads code libraries -- dubbed "dynamic-link library," or ".dll" in Windows -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for those files, they can hijack the PC.

Moore was the first to broach the subject last week when he announced he'd found 40 vulnerable Windows applications . He was quickly followed by others who claimed different numbers, ranging from over 200 to fewer than 30.

Both Moore and Kandek said that they expect Microsoft to issue an advisory later today that will include defensive workarounds but not a true patch. The latter, Kandek said today -- and Moore said last week -- isn't feasible since the vulnerabilities are in each application's code, not in Windows itself.

"They'll probably give some workarounds and advice, such as to avoid loading DLLs from a network share or WebDAV," said Kandek, referring to the technology built into Windows that allows for file sharing and collaboration on the Web. "I expect that they'll have some kind of tool that will turn off the loading of [DLLs] from WebDAV shares."

Fixes for the vulnerabilities may take months, said the experts. "This could turn into an issue like ATL," said Storms, talking about the bug in Active Template Library, a Microsoft-provided code library that had to be patched two summers ago. Then, too, developers, including Microsoft's, had to patch their programs individually.

"Like with ATL, it may take some time to see what's affected," Storms added.

Originally published on www.computerworld.com. Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News