Even after a slew of patches to Windows 7 and Internet Explorer 9, Microsoft has still not quashed all the bugs in the most up-to-date versions two of its core applications to prevent them from being taken over using an exploit it first attempted to fix in November, 2009.
"DLL load hijacking" takes advantage of the applications' trust in Dynamic Link Libraries (DLL) and the assumption that any DLL an application can launch has already been checked for malware and securely installed on the system, according to Slovenian Acros Security, which issued a warning about the bug Friday.
Windows-based applications rely heavily on DLLs to supply specific application functions and integration among applications. Most call DLLs by file name, rather than by using the full path to where the DLL should be stored.
Acros describes an exploit in applications call on malware unknowingly because it has the same name as a commonly used DLL.
DLL loads are particularly dangerous because Windows-based apps (and Windows) trust them implicitly, under the assumption that if they're present, they were scanned through proper security filters and installed with the user's knowledge.
Faked DLLs have few restrictions or even much risk of detection on systems that are vulnerable to them., Acros reported
Firefox was also vulnerable to DLL loads at one point, but it fixed the problem last year.
The phony DLL can come from anywhere – a web site that downloads it in the background, an infected USB or email, shared folders – any way that gets the fake DLL onto the targeted machine.
Microsoft has released 13 patches to prevent DLL load hijacking – the first in November, 2009 – but hasn't closed all the holes, according to Acro.
Among the openings still available is one that works on any version of Windows XP, and others that work on either Vista or Windows 7, and on IE9, even in Windows7, which runs browsers in a sandbox designed to pin any malware in place.
It even works in protected mode, and through applications that are not, themselves the source of the infection.
In other words, you could install the skankiest piece of shareware or pirated software available online, scan it, run it in a virtual machine with no direct access to your hard drive and, if you downloaded the malware DLL along with the .css, .gif, text, html and other bits of your favorite web sites, the malware would take over your system the first time Word or PowerPoint or even your anti-virus software called a legitimate DLL and got the crooked one instead.
Acro posted a set of guidelines for developers listing ways to avoid having their apps compromised.
It also posted guidelines for admins on how to avoid DLL load attacks – which are also called Binary Planting attacks.
Disable the WebClient Service on Windows PCs
Install Microsoft's CWDIllegalInDllSearch hotfix and set the global registry value to 2
Deploy Windows Software Restriction Policy or Windows AppLocker
Use a security product that detects unknown/modified binaries
Have your Win environment analyzed for Binary Planting vulnerabilities.
Block outbound SMB connections on the firewall
Block outbound WebDAV communications
Restrict write-access to shared folders on the network
And keep your eyes out for anything risky -- liek anything that runs on Windows or comes from Microsoft.
Microsoft has made huge strides in security during the past few years. Being unable to crush a vulnerability like this is more than weak; though. It's irresponsible.