Microsoft ships 'Fix-It' for DLL load hijacking attack vector

Microsoft ships 'Fix-It' for DLL load hijacking attack vector

Summary: Microsoft has released a Fix-It tool to help mitigate the latest DLL load hijacking issue that exposes Windows users to remote code execution attacks.

SHARE:
TOPICS: Security
4

Microsoft has released a Fix-It tool to help mitigate the latest DLL load hijacking issue that exposes Windows users to remote code execution attacks.

The flaw, publicly discussed by Metasploit's HD Moore and others, affects hundreds of Windows applications and require separate patches for each affected software.  

Details emerge on new DLL load hijacking Windows attack vector

According to this unofficial list of affected software, vendors affected includes Microsoft, Adobe, Apple, Cisco, Citrix, Google, Mozilla and Nokia.

Microsoft previously published a knowledge base article and a utility to help protect systems by disallowing unsafe DLL-loading behavior.  The company followed that up with a new one-click Fix-It tool that automates the mitigation. Both tools are required for users to protect themselves.

For more official information, read this very important blog post from Microsoft's Security Research & Defense team.

HD Moore: Critical bug in 40 different Windows apps

Microsoft stresses that this class of vulnerabilities does not enable a “drive-by” or “browse-and-get-owned” attack.

To be exploited, a victim would need to browse to a malicious WebDAV server or a malicious SMB server and double-click a file in the Windows Explorer window that the malicious server displays.

Unfortunately, based on attack patterns we have seen in recent years, we believe it is no longer safe to browse to a malicious, untrusted WebDAV server in the Internet Zone and double-click on anytype of files. Attackers are clever, substituting dangerous file icons with safe, trusted file icons. They have even recently begun obfuscating the filename based on character encoding tricks (such as right-to-left character encoding). Their goal is to entice unsuspecting users into double-clicking on a malicious executable. With or without this new remote vector to the DLL Preloading issue, it’s very hard to make a trust decision given the amount of control an attacker has over the malicious WebDAV server browsing experience. We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker.

The U.S. Computer Emergency Response Team (US-CERT) is also recommending the following workarounds until fixes are released by affected vendors

  • disable loading libraries from WebDAV and remote network shares
  • disable the WebClient service
  • block outgoing SMB traffic

Microsoft says it will fix its own affected products either via security bulletins or defense-in-depth operating system changes.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • RE: Microsoft ships 'Fix-It' for DLL load hijacking attack vector

    Even though this bug wasn't critical due to the extremely hard nature to exploit it I'm still impressed with the seriousness that Microsoft took with it.
    Loverock Davidson
    • Fart recall alert!!!

      Redmond wants you in for repair.

      Don't make them wait.
      OS Reload
  • RE: Microsoft ships 'Fix-It' for DLL load hijacking attack vector

    Good job Microsoft
    shellcodes_coder
  • RE: Microsoft ships 'Fix-It' for DLL load hijacking attack vector

    Good to see Redmond ahead of the curve for once.
    loupgarous