Windows DLL bug

vasa1 · 25. Aug 2010, 12:36 PM

Windows DLL bug hits dozens of apps

But maybe there's not much to worry about:

Quote:

Also, it should be noted that DLL planting requires significant user interaction and cannot be exploited by simply browsing to a web page. An attacker would have to convince a user to click a link to their SMB (Server Message Block) or WebDAV (Web-based Distributed Authoring and Versioning) share and then convince the user to open a file from that share which would trigger additional dialogs prompting the user to OK the action

So success would require dollops of inexperience on the part of a user.

Concerned User · 26. Aug 2010, 07:48 AM

Yes, user interaction is needed for this to work! (just like 99% of the vulnerabilities)

One of the comments in the register has put it quite well:

1) you download a zip file that purports to be a copy of "some media" you wanted to view, maybe a PDF, maybe an mp3 or .mov. When you unzip it, the directory contains the file you wanted to see (could be a real version), a readme.txt, some html links, and a few libraries (like usedbypopularmediaplayer.dll). Knowing windows, those files might be hidden/system and would still work. When you open the dpf/mp3/mov, it runs stuff from the shipped library, and you get hacked. Even better would be a zip file that when opened contains another zip file and some libraries like usedbypopularzipprogram.dll.

In this case, yes, you downloaded stuff from the internet and opened it in windows, more fool you.

However, people are less careful when running media files or opening zip files, especially when its an established format with no current vulnerabilities.

2) At work you use a network drive full of (say) microsoft word documents that you open on a regular basis.

Someone (or a virus on someones system) with write access to the network drive drops a couple of dlls (usedbymicrosoftword.dll, usedbyopenoffice.dll) into that directory. Suddenly, everyone that opens a file from there gets infected, but your antivirus doesnt pick up anything wrong with the documents themselves.

3) As 2), but the dll is dropped on removable media in a directory containing media files accessed by viewers known to be vulnerable. Said media is copied a billion times and handed out at a security conference by a major corporate. Although those that access the media probably have all the autorun stuff disabled, and scan the files for viruses, they still get caught when they open the media files.

http://forums.theregister.co.uk/foru...ll_casualties/

vasa1 · 26. Aug 2010, 08:40 AM

Quote:

Originally Posted by Concerned User

Yes, user interaction is needed for this to work! (just like 99% of the vulnerabilities)

One of the comments in the register has put it quite well:

1) you download a zip file that purports to be a copy of "some media" you wanted to view, maybe a PDF, maybe an mp3 or .mov. When you unzip it, the directory contains the file you wanted to see (could be a real version), a readme.txt, some html links, and a few libraries (like usedbypopularmediaplayer.dll). ...

When was the last time that a .pdf or .mp3 file came with readmes, links, and libraries?

vasa1 · 29. Aug 2010, 08:16 AM

Here's a little more:
DLL Hijacking: Facts and Fiction

MidnightCowboy · 29. Aug 2010, 02:08 PM

Quote:

Originally Posted by vasa1

Here's a little more:
DLL Hijacking: Facts and Fiction

Good article which should go some way towards curing the headless chicken syndrome for folks who bother to read it

Concerned User · 02. Sep 2010, 08:27 AM

Microsoft has released a "fix-it". More info from the reg:

http://www.theregister.co.uk/2010/09..._hijack_fixit/

26Dolphins · 02. Sep 2010, 08:22 PM

Now, let me see if I understood this correctly.
MS built a "Fix It" thingy that changes the value of a registry entry from whatever it currently is to "2"?
But, in order to use it, you should have already installed the previous "Fix It", which only function was to create that registry entry?

And that's to protect you from

Quote:

...this class of vulnerabilities could allow malicious code to run if an attacker can convince a victim to do...

One would think that by now, at the end of 2010, one or two things about safe surfing would have been tought to Internet users (friends, parents, school).

It seems that both the KB2264107 tool and the current "Fix It", do only the system-wide protection, while for the other senarios one has still to manually fiddle through the registry.

Or did I understand it wrong?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

26. Aug 2010, 07:48 AM	#2 (permalink)
Concerned User Editor Join Date: Apr 2010 Location: இந்தியா, सिन्धु, India Posts: 324	Yes, user interaction is needed for this to work! (just like 99% of the vulnerabilities) One of the comments in the register has put it quite well: 1) you download a zip file that purports to be a copy of "some media" you wanted to view, maybe a PDF, maybe an mp3 or .mov. When you unzip it, the directory contains the file you wanted to see (could be a real version), a readme.txt, some html links, and a few libraries (like usedbypopularmediaplayer.dll). Knowing windows, those files might be hidden/system and would still work. When you open the dpf/mp3/mov, it runs stuff from the shipped library, and you get hacked. Even better would be a zip file that when opened contains another zip file and some libraries like usedbypopularzipprogram.dll. In this case, yes, you downloaded stuff from the internet and opened it in windows, more fool you. However, people are less careful when running media files or opening zip files, especially when its an established format with no current vulnerabilities. 2) At work you use a network drive full of (say) microsoft word documents that you open on a regular basis. Someone (or a virus on someones system) with write access to the network drive drops a couple of dlls (usedbymicrosoftword.dll, usedbyopenoffice.dll) into that directory. Suddenly, everyone that opens a file from there gets infected, but your antivirus doesnt pick up anything wrong with the documents themselves. 3) As 2), but the dll is dropped on removable media in a directory containing media files accessed by viewers known to be vulnerable. Said media is copied a billion times and handed out at a security conference by a major corporate. Although those that access the media probably have all the autorun stuff disabled, and scan the files for viruses, they still get caught when they open the media files. http://forums.theregister.co.uk/foru...ll_casualties/

29. Aug 2010, 08:16 AM	#4 (permalink)
vasa1 Senior Member Join Date: Mar 2010 Posts: 400	Here's a little more: DLL Hijacking: Facts and Fiction

02. Sep 2010, 08:27 AM	#6 (permalink)
Concerned User Editor Join Date: Apr 2010 Location: இந்தியா, सिन्धु, India Posts: 324	Microsoft has released a "fix-it". More info from the reg: http://www.theregister.co.uk/2010/09..._hijack_fixit/