http://www.reuters.com/article/idUS2168761020100825

reading this ought to make windows users cringe.
They cant even patch the dll exploit cause it will cripple applications.

http://www.reuters.com/article/idUS2168761020100825

reading this ought to make windows users cringe.
They cant even patch the dll exploit cause it will cripple applications.

Nope, doesn't make me cringe at all. You forgot to note that it's also a software vendor issue as well (e.g., WinRAR, Google Earth and Chrome, AutoCad, etc., are vulnerable).

And how would these "hackers" get the DLL file on the system? The user has to download it.

I don't really see how this is much different then every other Trojan Horse out here.

And how would these "hackers" get the DLL file on the system? The user has to download it.

I don't really see how this is much different then every other Trojan Horse out here.

My favorite part of the article was the following:


Like a number of other companies, notably the French firm Vupen Security, Acros has decided that it will no longer report its vulnerability discoveries to vendors without compensation. "We've been giving them away for 10 years now," said Kolsek, "and it wasn't doing anything for us."It can be so hard to choose between responsibly disclosing vulnerabilities in products to protect consumers and industries or to use them (the vulnerabilities) as a way of muscling some money out of software vendors.

You see!!!! Doors are better than Windows. Please just seem to forget to lock their windows, so anyone can get it!!!

And how would these "hackers" get the DLL file on the system? The user has to download it.
any of the known techniques, from social engineering to drive-by downloads, would do, i guess



I don't really see how this is much different then every other Trojan Horse out here.
The important difference is that you don't need to get the user to execute a specific malicious program or a doctored version of a known program. Any program that simply calls a given dll by name, will do. (If I understood correctly)

Ah, if this turns into something major, Microsoft's screwed big time.

Ah, if this turns into something major, Microsoft's screwed big time.

http://ubuntuforums.org/showthread.php?t=1551292&page=5

It sounds like a storm in a teacup. Programs can be tricked into running malicious code... if there is already malicious code running.

It sounds like it could be used to escalate privileges (if a root-running program was tricked), but there should be very few of those running that aren't already part of Windows... right?

If there are still 3rd-party programs that require administration access to run, then I'd probably blame those vendors mostly for having such insecure programs to begin with; and I'd put only a small amount of blame onto Microsoft for letting people run Windows XP in this day and age.

http://ubuntuforums.org/showthread.php?t=1551292&page=5
This article has convinced me what was so attractive about Apple. It speaks of the truth. +1

Ah, if this turns into something major, Microsoft's screwed big time.

that is what i got out of that article. Seems like some are glossing over the implications to MS here. Does it matter if the dll's are application or OS ? Not really one bit, the result is still the same.

And what about this, MS DLL's are also exploitable. MS wont say how vulnerable the basic windows
OS is because they were likely totally unaware of this exploit issue and if they knew will refuse to admit how deep this goes for fear of a mass panic.
the problem could be unfixable without a huge code base rewrite.


Two of the exploits targeted Microsoft-made software, including PowerPoint 2010, the presentation maker in Office 2010, and Windows Live Mail, a free e-mail client bundled with Vista but available as a free download for Windows 7 customers.

It can be so hard to choose between responsibly disclosing vulnerabilities in products to protect consumers and industries or to use them (the vulnerabilities) as a way of muscling some money out of software vendors.

What does "responsibility" have to do with anything? Those security firms are just that: firms. They're here to make money. Saying to a software vendor "We have found a vulnerability in your program, but we won't tell you what it is until you give us monies" is no different than said software vendor saying to its users "we have developed a program, but we won't let you use it until you give us monies".

that is what i got out of that article. Seems like some are glossing over the implications to MS here. Does it matter if the dll's are application or OS ? Not really one bit, the result is still the same.

And what about this, MS DLL's are also exploitable. MS wont say how vulnerable the basic windows
OS is because they were likely totally unaware of this exploit issue and if they knew will refuse to admit how deep this goes for fear of a mass panic.
the problem could be unfixable without a huge code base rewrite.
Mass panic would be difficult to instigate among Windows user, because they simply won't understand the problem and just ignore it. If it weren't so, malwares, viruses and other crap couldn't have infected Windows so easily.

And how would these "hackers" get the DLL file on the system? The user has to download it.

I don't really see how this is much different then every other Trojan Horse out here.

Don't forget the old "Download this new funny screensaver" or " Download this cute kitten for your desktop"

Or simply "Hey CLICK HERE"

What does "responsibility" have to do with anything? Those security firms are just that: firms. They're here to make money. Saying to a software vendor "We have found a vulnerability in your program, but we won't tell you what it is until you give us monies" is no different than said software vendor saying to its users "we have developed a program, but we won't let you use it until you give us monies".

Note: I am writing from the perspective of industry outsider. This means that I haven't thought much about this and I probably used the term "responsible disclosure" inappropriately.

There is a substantive difference between the software vendor and the security firm: potential harm / risk to third parties.

If I don't buy Microsoft office (software product) from Microsoft (vendor) I am not harmed. If there is a severe vulnerability in Windows (and I use it) and Microsoft doesn't buy the information related to the undisclosed vulnerability and fixes it, I am potentially harmed.

Suppose a researcher finds an engineering defect in an automobile design and decides not to disclose said defect until the manufacturer pays him for his labor. Is this legal? Of course. Is it responsible? Not really because people are at risk until the problem is fixed.

I came away from this article with the feeling that these particular firms are the ambulance-chasers of the computer software industry.

Its not a big deal for a secure windows system and an experienced user (meaning not using administrator account and installing random crap) as there is no privilege escalation involved.

But what I do not understand is why it took so long to find this trivial problem.
Anybody running a strace equivalent on an executable must have seen it immediately.

Are there any extremely clever tricks involved after it loads the wrong dll which have just been discovered?
or is this maybe old news just pushed again by the media?

T'is not a trivial problem, my friend. DLLs are not to be messed with.

And even if experienced users can circumvent the problem, the majority of the users surely cannot.

I remember an episode of "Pimp My Ride", where a car they were working on turned out to be so structurally defective, they declared it "unpimpable"...

WIndows can never be secure unless they do some real overhaul what so ever.
After installing Ubuntu, I have never logged onto Windows Partition that has Windows 7.

Just to update the Antivirust I have on Windows 7, oneday I did connect to the Internet from Windows 7 and all hell broke Loose.
The update was interupted..
Soon after, I got my task manager disabled royally,, reg edit was disabled, cmd was disabled..and almost everything critical, including the so called Norton antivirus ceased working.
LOL

Well, anyway,I used the restore point to roll back the system , [Which I think solved the worm issue] cuz i got all the disabled things back.

Well! I think since I am not using windows, there is no need to update anything on it and risk another infection on the hard disk!
__

The best part about this episode was a dozen of my friends installed Ubuntu on their machine.
Now almost everyday when we meet up, the conversation revolves around UBUNTU and its awesomeness!
haha.It's funny cuz we used to talk about girls most of the time!

T'is not a trivial problem, my friend. DLLs are not to be messed with.

And even if experienced users can circumvent the problem, the majority of the users surely cannot.

Are you suggesting the majority of Windows users cannot download a file to their desktop and open it there? That circumvents the problem.

I remember an episode of "Pimp My Ride", where a car they were working on turned out to be so structurally defective, they declared it "unpimpable"...

http://t3.gstatic.com/images?q=tbn:eYEjxQ6xnKbJUM:http://i568.photobucket.com/albums/ss122/lbcmang/xzibit.jpg&t=1

Yo dawg heard you like using Windows, so I added a Trojan to your DLL so you can crash while you crash.

even clicking on a link and viewing a page can be a source of infection
Many people will become infected and not even know while their credit cards and other information is taken.
happened to my parents when their info was stolen and ended up with $6000 charges on his card and he is upto date with avast. Had something to do with buying something on Amazon. The card company contacted him and he wont have to pay. The card company noted the suspicious activity themselves.


The Vulnerability route

Another method of "infection" is through exploiting security holes in Internet Explorer. Even if a user doesn't click on something on web page, a malicious site can deliver its payload of malware. CoolWebSearch, one of the most notorious pests in recent times is suspected to be installed by pop-ups exploiting security holes in IE. Merijn Bellekom has fully documented the metamorphosis of CoolWebSearch in his Coolwebsearch chronicles.
http://www.malwarehelp.org/methods-of-infection.html

http://t3.gstatic.com/images?q=tbn:eYEjxQ6xnKbJUM:http://i568.photobucket.com/albums/ss122/lbcmang/xzibit.jpg&t=1

Yo dawg heard you like using Windows, so I added a Trojan to your DLL so you can crash while you crash.

...and we'll put monitors on the backs of the back seats, so the people behind you can see you crash too!

Nothing like a good bit of spreading anti-windows fud on a Linux forum. In the meantime I leave you with this:.

http://ubuntu.com/usn

Enjoy ;-)

Oh and how do you know you're machine is secure if you have no security software installed? Assumptive security?

http://t3.gstatic.com/images?q=tbn:eYEjxQ6xnKbJUM:http://i568.photobucket.com/albums/ss122/lbcmang/xzibit.jpg&t=1

Yo dawg heard you like using Windows, so I added a Trojan to your DLL so you can crash while you crash.

lrn2xzibit

It's "I heard you like X, so we put a X in yo X", not "heard you like X, so we added a Y in your Z".

Fail.

Nothing like a good bit of spreading anti-windows fud on a Linux forum. In the meantime I leave you with this:.

http://ubuntu.com/usn

Enjoy ;-)

Oh and how do you know you're machine is secure if you have no security software installed? Assumptive security?

And just how much anti-Linux FUD comes from Microsoft and their cronies.

You make it sound as if it is a unique phenomena to be found on Linux forums only.

It comes from all sides no matter what platform you choose.

Nothing like a good bit of spreading anti-windows fud on a Linux forum. In the meantime ...
...
discussing a real exploit / exploitable security breach has nothing to do with FUD.

The sky is falling. The sky is falling.

discussing a real exploit / exploitable security breach has nothing to do with FUD.

The OP post is not FUD. It is actually very valuable. There are members of this community that are responsible for the security of computers running Microsoft Windows.

Nothing like a good bit of spreading anti-windows fud on a Linux forum. In the meantime I leave you with this:.

http://ubuntu.com/usn

Enjoy ;-)

Oh and how do you know you're machine is secure if you have no security software installed? Assumptive security?Really? What part of
At the same time, the company said it would not patch Windows because doing so would cripple existing applications.is even REMOTELY the same as the security announcements link you posted (and the content therein)? At least with Linux/Unix distributions, the flaws are fixed.

At least with Linux/Unix distributions, the flaws are fixed.


Really?

https://launchpad.net/ubuntu/+bugs

Really?

https://launchpad.net/ubuntu/+bugs

Not all bugs are security issues, don't you think ?

I am not seeing how this is really news or even new. Unless I am reading this wrong it is basically exploiting the existence of the PATH statement to load an infected DLL in favor of the default one.

Hardly new at all, I have seen PATH statement hijacking for years. The more advanced ones alter the registry to have a service load the wrong file, or just attach to the winlogin service so the virus loads at startup even in safe more.

It does make me cringe from a support standpoint for a couple of reasons.

- People read this and think it is a good idea. So we see an increase in this type of attacks.

- Corporate management is known to panic. I am scared to see what they will want us to do in response to this.


Unless I am missing the point of this exploit...it is possible ;)

lrn2xzibit

It's "I heard you like X, so we put a X in yo X", not "heard you like X, so we added a Y in your Z".

Fail.

IDK, I guess I was trying to make it more pertinent to the topic.

It's stupid humor in the first place, you can't be wrong at stupid.

I am not seeing how this is really news or even new.
...
Unless I am missing the point of this exploit...it is possible ;)

It's something like that, but not exactly -- if I understand it correctly.
Applications search for the dlls they require by looking for a given file name in a number of default places (the program's working directory, the current directory, the system folder(s), the Windows directory, the directories in %PATH% ). The exact search order varies with Windows versions and also with the SearchMode setting in the registry.

Other than that, yes, it's apparently just a matter of dropping a crafted dll in a place that will be checked before the location of the legitimite dll.

It's unpatchable because apps rely on this search order mechanism to load dlls - they'd have to be rewritten with absolute paths to the dll (or another way to control exactly which dll is called) to avoid this problem.

I am not seeing how this is really news or even new. Unless I am reading this wrong it is basically exploiting the existence of the PATH statement to load an infected DLL in favor of the default one.

Hardly new at all, I have seen PATH statement hijacking for years. The more advanced ones alter the registry to have a service load the wrong file, or just attach to the winlogin service so the virus loads at startup even in safe more.

It does make me cringe from a support standpoint for a couple of reasons.

- People read this and think it is a good idea. So we see an increase in this type of attacks.

- Corporate management is known to panic. I am scared to see what they will want us to do in response to this.


Unless I am missing the point of this exploit...it is possible ;)

Yes this has been around for years. One could for example infect a Microsoft Windows 98 system by tricking an application into loading a malicious dll with the same name as the real one in a different path. In the Microsoft Windows 98 example it would be simpler for the attacker to replace the real .dll with the malicious one. So why would an attacker do this in the Microsoft Windows 98 case?

In the case of Microsoft Windows 7 however the real .dll is much harder to replace with a malicious one because of the security features of that OS. Ever heard of the "trusted installer" in Vista and 7? The path attack now becomes very relevant as a way to get around the new security features in Vista and 7.

What we have here is a very old exploit that has been around for years that can be used to turn the security of Microsoft Windows 7 into something along the lines of Microsoft Windows XP.