NEWS FROM THE LAB - Wednesday, August 25, 2010

DLL Hijacking and Why Loading Libraries is Hard Posted by Antti @ 17:45 GMT

In the past days, a class of exploits that fall under the category of DLL hijacking (or "binary planting") have gotten a lot of attention. Apple's iTunes had problems, and a lot of other applications seem to be falling for the same thing.

The problem is really quite simple. An attacker will try to trick someone into opening a data file (for example, an MP3 file in the case of iTunes) from a folder while at the same time placing a malicious Dynamic-link Library (DLL) somewhere under the same location. By doing this, he can force a vulnerable application to execute the malicious code. So, double-clicking on the wrong file on a network share might get your machine infected.

The whole class of problems is really nothing new. As Thierry Zoller points out, a nearly identical issue was reported a good 10 years ago. Why are we seeing lots of new vulnerabilities now? A lot can be attributed to a new tool that was made available by HD Moore last Sunday. It makes finding such vulnerabilities very easy.

So what can you do to keep safe? Microsoft has Security Advisory 2269637 out on the issue. It has several ways to mitigate the risks. You should also make sure to apply updates from different vendors for vulnerabilities in their products.

We'll of course be following this closely and adding detection for any malicious DLLs abusing the vulnerabilities.

Currently we are not aware of any vulnerabilities in our own software, but we are continuing further investigations on the matter.

Signing off,

P.S. Those of you developing Windows software: isn't it funny that a single function with a single argument,
LoadLibrary("mylibrary.dll"), can be so difficult to get right?

LoadLibrary MSDN

The documentation for LoadLibrary has about 1100 words, the page describing it in more detail has 1000 words, and the page that tells you how to really get it right has 900 more. That's around 3000 words, or ten times the length of this post. You just gotta love LoadLibrary!