Microsoft provides advisory for DLL hijacking exploits
Last updated on: September 7, 2020
Microsoft has just published security advisory KB2269637 that provides IT admins with the information and tools to deal with DLL hijacking. DLL hijacking attacks are targeted at Windows applications (3rd part and Microsoft) that have not followed recommended security practices and can be tricked to load DLLs from locations that are owned by the attacker. The attacker provided DLL is then used to take control of the target machine.
According to security research by Taeho Kwon and Zhendong Su from UC Davis, ACROS Security and HD Moore from Rapid7, it is straightforward to find applications that do not follow these best practices. Two weeks iTunes was patched for an occurrence of "binary planting" and Simon Raner of ACROS Security was credited.
The underlying idea of the attack is older (some discussion of the underlying issue is here from 2000) and not limited to Windows. Over time fixes and workarounds have been implemented, but a new attack vector using network shares and WebDAV increases the usability of the attack. With the available documentation and tools it is now easy to find vulnerable applications and craft exploits.
We recommend installing the hotfix in KB2264107 and setting the registry to not allow loading of binaries via network shares and WebDAV (setting 2) as soon as possible.
- In-depth Info on the SRD Blog
- The Register initial report on the iTunes fix and other afflicted applications
- Gregg Keizer’s excellent summary in Computerworld
- ISC Diary entry