Attackers exploit DLL vulnerability in Office and other applications
The Internet Storm Centre reports that criminals are already exploiting a DLL vulnerability in numerous applications. Applications targeted by attackers include Microsoft Office, WindowsMail and uTorrent. The number of vulnerable applications is rising almost hourly – searching Exploit Database for "DLL hijacking" reveals that new exploits targeted at popular applications are constantly appearing. Other affected applications include Photoshop and Thunderbird. Updates are already available for VLC (1.1.4) and uTorrent (2.0.4) which protect against DLL hijacking.
DLL hijacking, also known as binary planting, involves attackers exploiting the way Windows searches for DLLs. If a developer fails to explicitly define the path for a DLL, the operating system sequentially searches a series of directories for the required DLL. The penultimate directory searched is usually the working directory, which could be a network share. There are occasions when an application will attempt to load a DLL without knowing in advance whether it's actually installed, for example, when selecting a a video codec. If the program requests a DLL which is not found on a typical system, the operating system will automatically check the working directory.
This means that, for example, when a user starts Media Player Classic by double-clicking on an MP3 file from an SMB or WedDAV share, the program will search the share for the optional
iacenc.dll codec library. If an attacker has placed a crafted file of with this name in the same directory, malicious code contained in the file will be loaded and executed. Users can protect themselves using a tool for system administrators published by Microsoft. After the tool has been installed, the DLL search sequence can be modified using a new registry key and the working directory excluded from the search. However, software developers are being asked to fix the vulnerability in their own applications – Microsoft does not currently plan to release a patch to fix the issue.
There is plenty of room for debate over whether documentation, developer tools or programmers themselves are at fault. The NSA issued a warning about the underlying problem 12 years ago and Microsoft security expert David LeBlanc also pointed out the risk on his blog more than two years ago. It seems that up until now though, no-one noticed that the vulnerability could also be exploited over network shares.