Microsoft Windows Still Vulnerable To DLL Hijacking

Even patched applications arent safe from bug, says ACROS security researcher.

(click image for larger view)
Slideshow: Windows 7 Revealed
Even patched Windows applications remain vulnerable to dynamic link library (DLL) hijacking -- aka DLL planting and DLL loading -- attacks due to the erratic way in which Windows attempts to load DLLs.
That warning comes from a security advisory released on Wednesday by
ACROS Security
.
How can attackers take advantage of the
DLL vulnerability
? According to Microsoft: When an application dynamically loads a dynamic link library (DLL) without specifying a fully qualified path name, Windows tries to locate the DLL by searching a well-defined set of directories. If an attacker gains control of one of the directories, they can force the application to load a malicious copy of the DLL instead of the DLL that it was expecting. As a result, attackers can execute arbitrary code using the current users access level.
To help developers code applications that avoid this DLL-hijacking vulnerability, Microsoft had released
SetDllDirectory
. This function allows developers to eliminate the current working directory from Windows DLL searches, to frustrate attackers who might otherwise use that directory to hide malicious DLL files.
But developers cant rely on SetDllDirectory, because it behaves erratically, at least on Windows XP Professional 32 bit, Windows Vista Business 32 and 64 bit, and Windows 7 Professional 32 bit, said Mitja Kolsek, CEO of Acros Security.
The issue is that Windows often botches relative file location searches. Until Microsoft fixes this bug, any application that sets user or system path can unwittingly make your application vulnerable to binary planting if youre loading libraries from relative paths, he said. Furthermore, even when developers write absolute paths, Windows may still treat them as relative ones, or alter other important variables after users log off and log back in.
To help, Kolsek urged developers to use absolute, fully qualified paths to DLLs when loading them. While that wont block every type of DLL-hijacking attack, it will mitigate many of them.
Note that Microsofts current DLL-hijacking hotfix does still work, at least against certain types of attacks. This hotfix successfully blocks DLL loads from the current working directory if configured properly, even if relative locations are found in the PATH, said Kolsek. That said, it will not block
executable files
from exploiting the DLL hijacking vulnerability. To date, according to
Secunia
, a vulnerability information provider, 211 applications are vulnerable to DLL-hijacking attacks. So far, however, only 25 have been patched.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Windows Still Vulnerable To DLL Hijacking