May 09, 2011, 10:22 AM — Even after a slew of patches to Windows 7 and Internet Explorer 9, Microsoft has still not quashed all the bugs in the most up-to-date versions two of its core applications to prevent them from being taken over using an exploit it first attempted to fix in November, 2009.
"DLL load hijacking" takes advantage of the applications' trust in Dynamic Link Libraries (DLL) and the assumption that any DLL an application can launch has already been checked for malware and securely installed on the system, according to Slovenian Acros Security, which issued a warning about the bug Friday.
Windows-based applications rely heavily on DLLs to supply specific application functions and integration among applications. Most call DLLs by file name, rather than by using the full path to where the DLL should be stored.
Acros describes an exploit in applications call on malware unknowingly because it has the same name as a commonly used DLL.
DLL loads are particularly dangerous because Windows-based apps (and Windows) trust them implicitly, under the assumption that if they're present, they were scanned through proper security filters and installed with the user's knowledge.
Faked DLLs have few restrictions or even much risk of detection on systems that are vulnerable to them., Acros reported
Firefox was also vulnerable to DLL loads at one point, but it fixed the problem last year.
The phony DLL can come from anywhere – a web site that downloads it in the background, an infected USB or email, shared folders – any way that gets the fake DLL onto the targeted machine.
Microsoft has released 13 patches to prevent DLL load hijacking – the first in November, 2009 – but hasn't closed all the holes, according to Acro.
Among the openings still available is one that works on any version of Windows XP, and others that work on either Vista or Windows 7, and on IE9, even in Windows7, which runs browsers in a sandbox designed to pin any malware in place.
It even works in protected mode, and through applications that are not, themselves the source of the infection.