A month ago on Black Tuesday of April 2009, Microsoft patched a handful of vulnerabilities, some of them are known for quite some time now.
In this post I’ll talk about one vulnerability in particular – the DLL-load hijacking vulnerability in Microsoft Internet Explorer 7 which was found by Aviv Raff on October 2006.
The DLL-load hijacking vulnerability allows loading specific DLL files (imageres.dll, schannel.dll and sqmapi.dll) from the desktop when running Internet Explorer. An attacker may leverage this vulnerability to execute arbitrary code in the context of the application by placing a specially crafted DLL file on a user’s desktop.
So why Microsoft did patch a security bug after two and a half years? Well, that’s a long story.
At first, Microsoft issued this vulnerability as a “bad behavior” bug and although Aviv’s warnings they didn’t relate any security considerations to this issue. Microsoft stated that if an attacker was able to create a specially crafted DLL file on a user desktop, that desktop must have already been compromised. Then on December 2006, Aviv published a PoC exploit code for the vulnerability on milw0rm and still, no patch from Microsoft. Even on April 2008 when Windows XP SP3 was released, Microsoft hasn’t provided a solution or a workaround of any kind for this issue.
On May 2008, Nitesh Dhanjani detailed several vulnerabilities found in Apple Safari, one of them was the “Safari Carpet Bomb” vulnerability, which enabled an attacker to force the browser to download files without the user’s consent. The default download path of Apple Safari for Windows is the user desktop.
Combining the DLL-load hijacking vulnerability and the Safari Carpet Bomb vulnerability, Aviv was able to prove a fully automated remote code execution attack. With the help of Ryan Naraine, Microsoft and Apple started taking these issues seriously after the two sent Microsoft the proof-of-concept. Microsoft released a security advisory for this “blended threat” and eventually on June 2008, Apple fixed the Safari Carpet Bomb vulnerability.
And then on April 2009, two and a half years after Aviv reported this issue, Microsoft finally patched the DLL-load hijacking vulnerability.
You can read a detailed disclosure timeline on this blog post by Aviv Raff. Further information regarding this “blended threat” can be found on CVE-2008-2540 and BID 29445.
To mitigate this issue, Microsoft released two patches:
MS09-014 – which is a cumulative security update for Internet Explorer. Regarding the DLL-load hijacking vulnerability, this patch modifies the way Internet Explorer loads files from the desktop.
MS09-015 – providing additional defense in depth protections, with this patch Microsoft introduced a new API – SetSearchPathMode which sets the per-process mode when using the SearchPath function to locate files, allows applications to force the current directory to be searched after the application and system locations.
Additional information about these patches can be found in the security bulletins and in this post on the Microsoft Security Research & Defense blog.
And now for the interesting part, what Microsoft DON’T want you to know.
As stated on the MS09-014 security bulletin, the DLL-load hijacking vulnerability affects Internet Explorer 7 and lower versions. Internet Explorer 8 users are immune to this vulnerability, Microsoft claims.
This statement is not true, Internet Explorer 8 (RTM, build 8.0.6001.18702) is, in fact, vulnerable to the DLL-load hijacking vulnerability. Not only that, this is not the only vulnerability patched in MS09-014 that affect Internet Explorer 8, but that’s a subject for another blog post.
Here’s a video demonstrating the attack on IE8 – ie8_dll_hijack.swf.
Also, Internet Explorer is not the only application vulnerable to the DLL-load hijacking vulnerability. Almost every Microsoft application I’ve tested is vulnerable and also some third party applications. For example, Microsoft Office 2007 is vulnerable.
Here’s a video demonstrating the attack on Microsoft Office Word 2007 – office_dll_hijack.swf.
As I mentioned, at first Microsoft didn’t consider this issue to be a security vulnerability due to the fact that an attacker would have to create a specially crafted DLL file on a user’s computer to exploit it. Well, I can come up with many ways to leverage this attack, for example, using P2P file sharing applications and protocols, such as BitTorrent. Attackers can distribute warez (movies, software, books and etc’) packed to a ZIP or a RAR file, add to the package a malicious DLL file and a readme .html or .doc file (or both). Once the victim downloads the malicious package and opens the readme file – GAME OVER.
So, does Microsoft lie in security bulletins to their customers? They probably are… Have a happy Black Tuesday! :-)
Categories: Vulnerabilities
11 Comments | 
Comments RSS | 
TrackBack URL
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
Great post!
you’ve got some serious accusations here, but since you have your findings to support them, I believe that this post deserves a massive exposure.
It’s not new that Microsoft isn’t honest regarding their security patches and bulletins.
Each Microsoft patch is chance to fix some undisclosed vulnerabilities, in addition to the vulnerabilities stated in the security bulletin. This is widely known as “silent fixes”.
Interesting.
I liked the demonstrations. It appears Microsoft just infinitely chasing its own tail.
if an attacker can “place” a file on the users desktop, doesn’t he already own the box?
enlighten me
@anon – not necessarily.
I’ve mentioned it in the post, like you, at first Microsoft also gave that argument – to place a file on the user’s desktop, it have to be owned.
But, using the Safari Carpet Bomb vulnerability or other methods as I suggested in the post ending, it is possible to place DLL files on user’s boxes without owning them.
great post :D
but this makes me wonder, why did Microsoft issued MS09-015 as a elevation of privilege vulnerability?
“Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)”
Once triggering the DLL-load hijacking vulnerability on an application, the hijacked DLL will run in this application privilege. And by that allowing privilege escalation.
What Windows versions are vulnerable for this kind of attack ?
Windows 2000 not vulnerable.
Windows XP, 2003, Vista and 2008 (core installation too) are vulnerable.. Both 32-bit and 64-bit versions of each one.
Regarding Windows 7.. I really don’t know.. Haven’t test it.
See: http://www.microsoft.com/technet/security/bulletin/ms09-015.mspx#E5C
Everytime i come back here I’m reminded why I added your site to my favourites:)
wow, thanks!