Windows DLL exploits boom; hackers post attacks for 40-plus apps

Publish exploits to subvert Firefox, Chrome, Word, Photoshop, Skype, dozens more

Some of the world's most popular Windows programs are vulnerable to a major bug in how they load critical code libraries, according to sites tracking attack code.

Among the Windows applications that can be exploited using a systemic bug that many have dubbed "DLL load hijacking," are the Firefox, Chrome, Safari and Opera browsers; Microsoft's Word 2007; Adobe's Photoshop; Skype; and the uTorrent BitTorrent client.

"Fast and furious, incredibly fast," said Andrew Storms, director of security operations for nCircle Security, referring to the pace of exploit postings for the vulnerability in Windows software called "DLL load hijacking" by some, "binary planting" by others.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Some of the world's most popular Windows programs are vulnerable to a major bug in how they load critical code libraries, according to sites tracking attack code.

Among the Windows applications that can be exploited using a systemic bug that many have dubbed "DLL load hijacking," are the Firefox, Chrome, Safari and Opera browsers; Microsoft's Word 2007; Adobe's Photoshop; Skype; and the uTorrent BitTorrent client.

"Fast and furious, incredibly fast," said Andrew Storms, director of security operations for nCircle Security, referring to the pace of exploit postings for the vulnerability in Windows software called "DLL load hijacking" by some, "binary planting" by others.

On Monday, Microsoft confirmed reports of unpatched vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. The flaws stem from the way many Windows applications call code libraries -- dubbed "dynamic-link library," or "DLL" -- that give hackers wiggle room they can exploit by tricking an application into loading a malicious file with the same name as a required DLL.

If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack a PC and plant malware on it.

Even before Microsoft described the problem, published its protective tool, and said it could not address the wide-ranging issue by patching Windows without crippling countless program, researcher HD Moore posted tools to find vulnerable applications and generate proof-of-concept code.

The majority of the exploits published in the last 48 hours have been generated by Moore's auditing tool and the generic exploit module added to the open-source Metasploit penetration testing toolkit.

Several sites have taken to tracking the applications that people have found vulnerable, including an informal list kept by Peter Van Eeckhoutte, a Belgium IT manager, and a longer one of published proof-of-concept exploits maintained by Offensive Security, an online security training company.

Among the 40 exploits listed by Offensive were ones for several Adobe products, including InDesign, Illustrator and Photoshop; a number of Microsoft-made programs, including a pair that were revealed yesterday by Slovenian security firm Acros; and other popular applications, such as Foxit Reader, uTorrent and Wireshark.

As of 3 p.m. ET, more than 30 exploits had been posted on Wednesday alone.

The flood will likely continue: Yesterday, Moore updated his DLLHijackAuditKit to version 2, making it easier to use and quicker at identifying buggy programs.

"I don't recall seeing a list like that so quickly," said Marc Fossi, director of Symantec's security response team. "But at the same time I'm not surprised."

Fossi compared it to an earlier disclosure of a broad class of vulnerabilities that more than 10 years ago led to a large number of exploits in a short span of time. "It's like when format string errors were first discovered and you had all these apps being found that were vulnerable," Fossi said.