Microsoft Issues DLL Hijack Blocker Tool

Microsoft reacted to reports of rampant new zero-day electronic attacks on numerous third-party Windows applications by issuing a tool that prevents DLL hijacking, the underlying technique used in the attacks.

Paul Thurrott

August 24, 2010

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Microsoft reacted to reports of rampant new zero-day electronic attacks on numerous third-party Windows applications by issuing a tool that prevents DLL hijacking, the underlying technique used in the attacks. The flaw was originally discovered last year by a security software firm that expressed surprise at how easily exploitable it was across a wide range of Windows applications.

Microsoft's initial response includes a tool that mitigates the risk of attack by preventing applications from insecurely loading code from Windows library files, called DLLs (Dynamic Link Libraries).

"This issue is caused by specific insecure programming practices that allow so-called 'binary planting' or 'DLL preloading attacks', a Microsoft security advisory reads. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location."

According to Microsoft, only those applications that do not properly and securely load DLLs are affected, and it had long ago published guidelines for the proper way of doing so. But Arcos Security, the company that originally found the flaw, says it was surprised by how many applications are vulnerable.

"Initially expecting only a few bugs here and there, we were surprised to find about 90 percent of the 220 widely-used applications \[we tested were\] vulnerable," a blog posting on Arcos' website reads. "And when I say "vulnerable", I mean vulnerable to remote execution in a real-world scenario, without having any privileges on the user's computer ... we can safely say that all Windows users can at this moment be attacked via at least one remote binary planting vulnerability."

Arcos said it informed Microsoft about the flaw early in 2010, giving the software giant time to research the problem further and develop a fix. However, when the flaw was found in Apple's iTunes software, "the cat was out of the bag," and security firms began noticing that the same flaw could be exploited in many other third-party applications as well.

Meanwhile, Microsoft has been criticized for not "fixing" the flaw, noting that doing so would cause rampant compatibility issues. According to the software giant, the core issue is the applications, not Windows, and if the software giant changes how Windows works, it will break those applications that do work correctly.

Read more about:

Microsoft

About the Author

Paul Thurrott

Paul Thurrott is senior technical analyst for Windows IT Pro. He writes the SuperSite for Windows, a weekly editorial for Windows IT Pro UPDATE, and a daily Windows news and information newsletter called WinInfo Daily UPDATE.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like