Windows DLL ExploitAugust 27th, 2010
A far-reaching Windows application exploit has been making the news recently, and I’m here to tell you that it’s no big deal if you’re careful.
The core issue is this: when opening an application, Windows has a list of locations that it searches for the various executable library files needed to run the program. For versions of Windows prior to XP SP2, the very first location it searches is the “current” working directory. For XP SP2 and later, the current directory is searched last.
The exploit is simple: a hacker provides a document and, in the same directory as the document, places a malicious library with the same name as a library used by the application that will open the file. When the user double-clicks on the document, Windows will load and execute the malicious library instead of the correct one—because it comes first in the search list. Thus the hacker gets you to run malicious code of his choosing, which is the holy grail of hacking. Obviously this is more difficult in post-XP SP2 versions of Windows, because the current directory is searched last, but the exploit is still possible.
An example of how this could occur would be if you found a flash drive on the ground and plugged it into your computer. Another would be if you downloaded a directory with some movies from the Internet and double-clicked on one to watch it. A third possibility is opening a document over a network, where the other computer has already been hacked. With knowledge of this issue, however, and if you are careful about what files you download and open, this vulnerability becomes manageable.
Unfortunately this is not a Windows bug that can be fixed. It’s a design decision from the early days of PC operating systems, and it’s so deeply embedded in the architecture that it won’t be changed. Doing so would break a great many applications. Microsoft has done what it can to make things safer. They modified the search order, so that the current directory is searched last instead of first. Applications can specify that the current directory not be searched at all. There are hundreds of popular programs that don’t do this, and it’s up to each individual program to enable that setting.
That being said, Microsoft has released a patch that enables you to change how code libraries are loaded on your computer.
Link #1: http://www.infoworld.com/…
(via Kim Komando)
Link #2: http://arstechnica.com/…