Microsoft blocks DLL load hijacking attacks

Microsoft responded to reports of potential zero-day attacks against a large number of Windows programs by publishing a tool it said would block known exploits.

However, the company declined to confirm whether any of its own applications are vulnerable, saying that it is currently investigating Microsoft-made software.

Monday's security advisory was its first public reaction to a wave of reports from researchers that developers have left a large number of Windows programs open to attack.

Many Windows applications don't call code libraries - dubbed "dynamic-link library," or "DLL" - using the full pathname, but instead use only the filename, giving hackers wiggle room. Criminals can exploit that by tricking the application into loading a malicious file with the same name as the required DLL. The result: Hackers can hijack the PC and plant malware on the machine.

HD Moore, chief security officer at Rapid7 and the creator of the Metasploit penetration testing toolkit, was the first to reveal the potential attacks when he announced last week that he'd found 40 vulnerable Windows applications. Moore was followed by other researchers who claimed different numbers of at-risk programs, ranging from over 200 to fewer than 30.

Microsoft went to lengths today to tell users that the flaw isn't in Windows. "We're not talking about a vulnerability in a Microsoft product," said Christopher Budd, a senior communications manager with the company's MSRC, or Microsoft Security Response Center. "This is an attack vector that tricks an application into loading an untrusted library."

Because application developers, not Windows, are to blame, Microsoft can't patch the operating system without crippling an unknown number of programs that run on the platform. Instead, Microsoft and third-party developers must sniff out which of their programs are vulnerable, then patch each separately.

To ward off attacks until then, Microsoft has, as expected, released a tool that blocks the loading of DLLs from remote directories, such as those on USB drives, Web sites and an organization's network, all possible vectors.

"The tool restricts the loading of remote libraries on a per app [basis] or in a blanket implementation," said Budd. The tool can be downloaded using Windows version-specific links in a just-published support document.

Microsoft's tool targets enterprises, not consumers, said Budd, and won't be pushed to customers automatically through the company's Automatic Updates service. In the advisory, Microsoft listed other workarounds customers could take, including blocking outbound SMB (Server Message Block) traffic at the firewall and disabling Windows' built-in Web client. Last week, Moore had recommended users do both, based on his preliminary work. Budd also argued that the possible exploits spelled out by Moore and others represent a new attack vector, a claim that some researchers rejected.

"This [has been] known since 2000, and I also reported it in 2006," said Israeli researcher Aviv Raff on Twitter Monday. Aviv had revealed a DLL load hijacking bug in Internet Explorer 7 (IE7) in December 2006. Microsoft waited until April 2009 to patch Raff's IE vulnerability.

Microsoft has refused to say whether any of its applications include the programming flaw that would make them vulnerable. "We're going through [our products] and researching," said Budd. "If there are vulnerabilities, we'll address them."

Earlier today, several outside security researchers said they would be interested to know whether any Microsoft software is at risk, which would mean that Microsoft's developers had not followed the company's advice to third-party programmers.

Budd said he couldn't immediately confirm that Microsoft has known of the DLL load hijacking vulnerabilities since at least August 2009, when University of California Davis researcher Taeho Kwon said he contacted the company. Today, Budd said that he understood that Microsoft had been working the problem only for the "past couple of weeks."

If Kwon's timeline is accurate, Microsoft's inability to name which of its products, if any, are vulnerable will likely seem especially odd to researchers.

The MSRC engineering team also published some technical information about the attack vector and the blocking tool on Microsoft's "Security Research & Defense" blog Monday.