Microsoft ships 'Fix-It' for DLL load hijacking attack vector

Microsoft has released a Fix-It tool to help mitigate the latest DLL load hijacking issue that exposes Windows users to remote code execution attacks.

The flaw, publicly discussed by Metasploit's HD Moore and others, affects hundreds of Windows applications and require separate patches for each affected software.  

Details emerge on new DLL load hijacking Windows attack vector

According to this unofficial list of affected software, vendors affected includes Microsoft, Adobe, Apple, Cisco, Citrix, Google, Mozilla and Nokia.

Microsoft previously published a knowledge base article and a utility to help protect systems by disallowing unsafe DLL-loading behavior.  The company followed that up with a new one-click Fix-It tool that automates the mitigation. Both tools are required for users to protect themselves.

For more official information, read this very important blog post from Microsoft's Security Research & Defense team.

HD Moore: Critical bug in 40 different Windows apps

Microsoft stresses that this class of vulnerabilities does not enable a “drive-by” or “browse-and-get-owned” attack.

To be exploited, a victim would need to browse to a malicious WebDAV server or a malicious SMB server and double-click a file in the Windows Explorer window that the malicious server displays.

Unfortunately, based on attack patterns we have seen in recent years, we believe it is no longer safe to browse to a malicious, untrusted WebDAV server in the Internet Zone and double-click on anytype of files. Attackers are clever, substituting dangerous file icons with safe, trusted file icons. They have even recently begun obfuscating the filename based on character encoding tricks (such as right-to-left character encoding). Their goal is to entice unsuspecting users into double-clicking on a malicious executable. With or without this new remote vector to the DLL Preloading issue, it’s very hard to make a trust decision given the amount of control an attacker has over the malicious WebDAV server browsing experience. We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker.

The U.S. Computer Emergency Response Team (US-CERT) is also recommending the following workarounds until fixes are released by affected vendors

• disable loading libraries from WebDAV and remote network shares
• disable the WebClient service
• block outgoing SMB traffic