Microsoft ships 'Fix-It' for DLL load hijacking attack vector

Summary:Microsoft has released a Fix-It tool to help mitigate the latest DLL load hijacking issue that exposes Windows users to remote code execution attacks.

Microsoft has released a Fix-It tool to help mitigate the latest DLL load hijacking issue that exposes Windows users to remote code execution attacks.

The flaw, publicly discussed by Metasploit's HD Moore and others, affects hundreds of Windows applications and require separate patches for each affected software.  

Details emerge on new DLL load hijacking Windows attack vector

According to this unofficial list of affected software, vendors affected includes Microsoft, Adobe, Apple, Cisco, Citrix, Google, Mozilla and Nokia.

Microsoft previously published a knowledge base article and a utility to help protect systems by disallowing unsafe DLL-loading behavior.  The company followed that up with a new one-click Fix-It tool that automates the mitigation. Both tools are required for users to protect themselves.

For more official information, read this very important blog post from Microsoft's Security Research & Defense team.

HD Moore: Critical bug in 40 different Windows apps

Microsoft stresses that this class of vulnerabilities does not enable a “drive-by” or “browse-and-get-owned” attack.

To be exploited, a victim would need to browse to a malicious WebDAV server or a malicious SMB server and double-click a file in the Windows Explorer window that the malicious server displays.

Unfortunately, based on attack patterns we have seen in recent years, we believe it is no longer safe to browse to a malicious, untrusted WebDAV server in the Internet Zone and double-click on anytype of files. Attackers are clever, substituting dangerous file icons with safe, trusted file icons. They have even recently begun obfuscating the filename based on character encoding tricks (such as right-to-left character encoding). Their goal is to entice unsuspecting users into double-clicking on a malicious executable. With or without this new remote vector to the DLL Preloading issue, it’s very hard to make a trust decision given the amount of control an attacker has over the malicious WebDAV server browsing experience. We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker.

The U.S. Computer Emergency Response Team (US-CERT) is also recommending the following workarounds until fixes are released by affected vendors

  • disable loading libraries from WebDAV and remote network shares
  • disable the WebClient service
  • block outgoing SMB traffic

Microsoft says it will fix its own affected products either via security bulletins or defense-in-depth operating system changes.

Topics: Security


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.