IT Trenches » exploit

DLL hole also affects EXE files

Troy Tate — Fri, 10 Sep 2010 15:56:05 +0000

According to a Heise Media report, the DLL binary planting vulnerability is not just limited to DLL files but affects EXE files.

The example given: An HTML file is saved along with a copy of a file called EXPLORE.EXE. The HTML file is opened and has a URI link embedded with the address file://. This will cause the browser to attempt to open EXPLORE.EXE from the local folder.

The current Microsoft workarounds for the DLL vulnerability only apply to DLL’s, not EXE’s.

See this news posting for additional information.

Information security continues to be a struggle against function, features and stopping bad things from happening. What are your thoughts about where this is going?

Thanks for reading & let’s continue to be good network citizens!

Whak-a-mole testing for Microsoft DLL exploit

Troy Tate — Tue, 24 Aug 2010 20:01:58 +0000

HD Moore of Metasploit fame has created a tool to identify applications which exhibit the DLL hijack flaw about which Microsoft recently released a security advisory. This tool in HD Moore’s own words

will turn a desktop PC into a game of whack-a-mole by launching the file handlers for every registered file type, while recording whether or not a DLL was accessed within the working directory of the associated file.

To find out more about this DLL hijack exploit test kit and to get the tool see HD’s blog.

This could be a serious issue so I am waiting to see what develops out here now that Metasploit has released a working exploit plugin also.

What are your thoughts on this vulnerability? Do you have Windows developers which may have created risks for your organization by poor development practices? Let me and other ITKE readers know about your experiences with this vulnerability and if you have used the DLL hijack exploit test tool and how your testing went. Thanks for reading and let’s continue to be good network citizens!

Sure you can use my security context – exploit me!

Troy Tate — Fri, 22 Jan 2010 19:34:47 +0000

I recently blogged about the fact that the initial reports of the Google Aurora attack focused on Internet Explorer version 6. Some comments on the Information Security Community Group on LinkedIn got me thinking about another part of the successful exploit that could have reduced the impact, if not completely prevented it.

The Microsoft security bulletin states that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” That’s great news for a lot of organizations that have taken the operational stance of least user access or the principle of least privilege. Not everyone has to run everything as a local administrator on their computer. This would prevent a lot of home users from being infected and definitely help businesses reduce the impact of successful exploits of known and previously unknown vulnerabilities.

How much news about security breaches do you think there would be if LUA was put into practice everywhere possible? Maybe then we could focus on addressing other business application issues like getting incompatible applications upgraded from Internet Explorer 6 to IE8.

Thanks for reading and let’s continue to be good network citizens!