Microsoft Windows DLL Load Hijacking (2269637)
Affected OS: Windows XP (Service Pack 3, [++])
Description: A remote code execution vulnerability exists in some versions of Microsoft Windows.
Recommendation: Currently we are unaware of a vendor-supplied patch or update (9/17/2010).
A Microsoft Fix it Solution has been posted:
Users may choose to configure access protection rules to prevent access of at least ?*.dll? and ?*.ocx? from untrusted file locations where you share documents but are unlikely to be loading program libraries from.
This can be accomplished per the below steps:
– From the VirusScan console, open the properties dialogue for ‘Access Protection’.
– Highlight ‘User Defined Rules’, and click ‘New’.
– Choose the ‘File/Folder Blocking Rule’ option.
– Name the rule.
– Under ‘processes to include’, add a wildcard ‘*’ character.
– Under ‘File or folder name to block’ add a network share followed by *.dll. It is also recommended to do this for *.ocx file types.
(i.e. – F:Share***.dll)
Please note: This rule may also block non-malicious applications from running on network drives and should be tested for each environment.
Observation: A remote code execution vulnerability exists in some versions of Microsoft Windows.
The flaw was first described in the Arcos “Security Problem Report” 2010-08-18-1 as “Remote Binary Planting in Apple iTunes for Windows”.
The issue occurs when vulnerable file types are opened from within a directory/share determined by an attacker. Vulnerable applications will launch DLLs in the working directory by default in order to handle the type of file that is being opened. This can lead to the loading of malicious DLLs and the remote execution of arbitrary code.
Common Vulnerabilities & Exposures (CVE): NA
IAVA Reference Number: NA