McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Microsoft Windows DLL Load Hijacking (2269637)

Threat Detail

Vulnerability Type: Logic error

Impact of Exploitation: Malicious remote network traffic

CVE Reference: N/A

Next Steps:

Overview

A remote code execution vulnerability exists in some versions of Microsoft Windows.

A remote code execution vulnerability exists in some versions of Microsoft Windows. The flaw was first described in the Arcos "Security Problem Report" 2010-08-18-1 as "Remote Binary Planting in Apple iTunes for Windows". The issue occurs when vulnerable file types are opened from within a directory/share determined by an attacker. Vulnerable applications will launch DLLs in the working directory by default in order to handle the type of file that is being opened. This can lead to the loading of malicious DLLs and the remote execution of arbitrary code.

Attack Vector

Malicious remote network traffic

User Interaction

user interaction is needed

Vendor Status

Responded, not patched

Vulnerable Systems

Windows   7 x64,

Timeline

2010-08-18

Vulnerability information has been publicly disclosed.

2010-08-22

Vulnerability information has been publicly disclosed.

2010-08-23

A proof of concept has been released.

2010-08-23

Vendor has provided information on the vulnerability.

2010-08-23

Vulnerability information has been publicly disclosed.

Recommendations

McAfee is currently unaware of a vendor-supplied patch or update (8/25/2010). McAfee VirusScan Enterprise users may choose to configure access protection rules to prevent access of at least ?*.dll? and ?*.ocx? from untrusted file locations where you share documents but are unlikely to be loading program libraries from. This can be accomplished per the below steps: - From the VirusScan console, open the properties dialogue for 'Access Protection'. - Highlight 'User Defined Rules', and click 'New'. - Choose the 'File/Folder Blocking Rule' option. - Name the rule. - Under 'processes to include', add a wildcard '*' character. - Under 'File or folder name to block' add a network share followed by \*.dll. It is also recommended to do this for *.ocx file types. (i.e. - F:\Share\**\*.dll) Please note: This rule may also block non-malicious applications from running on network drives and should be tested for each environment.

Recommendations McAfee Product Mitigation

Additional Resources

Microsoft Security Advisory (2269637) Insecure Library Loading Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/2269637.mspx

United States - English