IE, Windows XP Users Vulnerable To DLL Hijacking

Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users on Windows XP, according to Acros Security.

Strategic Security Survey: Global Threat, Local Pain

(click image for larger view and for full photo gallery)
Internet Explorer and Windows XP users are at high risk from attacks that use
DLL hijacking
-- aka binary planting -- techniques to remotely exploit PCs, according to studies conducted by Slovenian security company Acros Security. Furthermore, many such attacks, which have already been seen in the wild, will succeed without users even being aware of whats happening.
Most attack scenarios dont include any security warnings,
said Mitja Kolsek
, CEO of Acros Security. Users should therefore be careful when opening any hyperlinks -- not just on web pages, but also in email, documents and IM messages.
That message runs counter to some current DLL hijacking dogma. Microsofts Jerry Bryant, for instance, was quoted saying: Due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as Important, said Kolsek.
But other researchers have been finding that warnings and dialogs can be scarce, especially given interesting combinations of attacks -- for example, using a uTorrent DLL against Google Chrome -- or just hiding attack code on a regular USB drive, CD or DVD.
To help separate fact from fiction, said Kolsek, We looked at some of the most popular web browsers, most popular email clients and most popular document readers, trying to use them as delivery mechanisms for binary planting attack.
As part of those tests, it found that clicking on a remote shared folder link when using IE and Windows XP -- which about 67% of all Windows users are still on -- would open the remote shared folder without warning, enabling the attack. The same was true for clicking on any remote shared folder link that arrived via email to an Outlook, Windows Mail and Windows Live Mail client.
Interestingly, however, unlike IE, We found no way to launch Windows Explorer via a hyperlink from
Firefox
, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive -- for example, if attackers email an HTML file, said Kolsek.
Also, when in protected view mode, Word 2010 and Excel 2010 both restrict the attack somewhat, by requiring users to first enable hyperlinks in documents.
But based on the testing by Acros Security, the DLL hijacking vulnerability risk profile now looks worse, not better. Our own experience in penetration testing confirms binary planting to be currently one of the most efficient and reliable methods for obtaining remote access to workstations in target networks, said Kolsek.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
IE, Windows XP Users Vulnerable To DLL Hijacking