Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Tens of Software Products Vulnerable To Simple Bug (softpedia.com)

Posted by timothy on from the everything's-simple-to-somebody dept.

An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.

2 of 162 comments (clear)

  1. Re:What's a DLL? by lesincompetent · · Score: 5, Insightful

    The obvious questions are:
    - Why are you here?
    - Why the semicolon?

  2. Re:Other side of the airtight hatchway by pr0fessor · · Score: 3, Insightful

    In this case it would be up to the installer to verify that it is loading a valid library. The problem is if somehow a certain named and versioned dll can be downloaded to the same folder you execute the installer from it can execute arbitrary code when the installer initializes it using the elevated privileges you granted the installer.

    So in order to implement this side-loading you would to first need take advantage of another vulnerability to get that library in the right place.

    In order to protect against this they could simply not include the execution folder in the search path and validate the library in a manner other than just the name and version which can be faked.

    If someone where to try and exploit this chances are they would attempt to run their code in the background while leaving the rest of the library untouched so the installer would complete without tipping off the user. This means something as simple as a file size could validate there wasn't a bunch of extra code present, although there are better methods for validating a library.