Posted on 08/25/2010 1:17:28 PM PDT by stripes1776
Computerworld - Some of the world's most popular Windows programs are vulnerable to a major bug in how they load critical code libraries, according to sites tracking attack code.
Among the Windows applications that can be exploited using a systemic bug that many have dubbed "DLL load hijacking," are the Firefox, Chrome, Safari and Opera browsers; Microsoft's Word 2007; Adobe's Photoshop; Skype; and the uTorrent BitTorrent client.
"Fast and furious, incredibly fast," said Andrew Storms, director of security operations for nCircle Security, referring to the pace of exploit postings for the vulnerability in Windows software called "DLL load hijacking" by some, "binary planting" by others.
On Monday, Microsoft confirmed reports of unpatched vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. The flaws stem from the way many Windows applications call code libraries -- dubbed "dynamic-link library," or "DLL" -- that give hackers wiggle room they can exploit by tricking an application into loading a malicious file with the same name as a required DLL.
If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack a PC and plant malware on it.
...
Among the 40 exploits listed by Offensive were ones for several Adobe products, including InDesign, Illustrator and Photoshop; a number of Microsoft-made programs, including a pair that were revealed yesterday by Slovenian security firm Acros; and other popular applications, such as Foxit Reader, uTorrent and Wireshark.
...
(Excerpt) Read more at computerworld.com ...
I’ve got SCCM. Bring it on.
Now, why is it, when Apple’s iPhone had this supposedly HUGE hole, nothing happened and it took them 2 weeks to fix it.
But, Windows has this bug and it will take them MONTHS if ever to fix it, and within 24 HOURS dozens of exploits are in the wild?
What gives?
/mark
SCCM?
What gives?
Perhaps because this bug exists in so many programs and is easy to exploit.
Windows is a piece of sh!t - always was.
It was only the mainstream PC media and IBM executive’s cowardice that gave Microsoft its PC monopoly. There were much better OSes then. There are much better OSes now.
Funny, it’s a lot like the political situation.
System Center Configuration Manager
That’s what I thought you meant. SCCM still needs to be used with a firewall client though, doesn’t it?
Not in a Windows domain. The only thing I saw on the list I have at home is WireShark, and I uninstalled that 2 days ago.
Not in a Windows domain. The only thing I saw on the list I have at home is WireShark, and I uninstalled that 2 days ago.
This has to potential to be the most serious threat against the windows platform seen in a long time.
Unless they’re being paid by their employer to tolerate it, it’s beyond me why anyone would put up with the hassles and vulnerabilities of any version of Windows in their own personal computers.
I think you're right. It seemed serious to me two day ago when I first read about the problem. But I am surprised how fast the exploits have been published. And it effects some of the most widely used applications.
The other day I was in a coffee house getting a shot of espresso. The guy sitting next to me was using Windows on his MacBook Pro. He dual boots. He boots up in Windows for work, but when he goes home, he boots up in Mac OS for his personal computing pleasure. I think we will see a lot more of that type of setup in the near future.
Thank God I only use apps for people ages 25-40.
I’m not too smart on dll exploits. Does all this mean using Firefox is not safe anymore?
Firefox is very good at issuing security updates, so you should be fine. The important thing is that software vendors plug this security hole in their products before any malicious programmers have time to exploit the vulnerabilities.
I would not worry about it. Just be prudent like you always are. Don't click on any links in email from people you don't know. Don't go to any weird websites.
Firefox will probably have a fix within a week. You will be fine.
>>> ACCUNETIX Accunetix Web Vulnerability Scanner (wvs) latest >>> ALLADIN Aladdin eToken PKI Client (etc, etcp) (wintab32.dll) 5.0.0.65 >>> APPLE Safari (dwmapi.dll) <= 5.0.1 >>> AVAST Avast! (license file .avastlic) (mfc90loc.dll) <= 5.0.594 >>> ADOBE Adobe Dreamweaver (mfc90ptb.dll) CS4 (<= 10.0 build 4117) CS5 (<= 11.0 build 4909) Adobe ExtendedScript Toolkit (dwmapi.dll) CS5 v3.5.0.52 Adobe Extension Manager (mxi,mxp) (dwmapi.dll) CS5 v5.0.298 Adobe Photoshop (wintab32.dll) CS2 Adobe Fireworks CS3, CS4 and CS5 Adobe Device Central (qtcf.dll) CS5 Adobe Illustrator (ait, eps) (aires.dll) CS4 v14.0.0 Adobe On Location (olproj) (ibfs32.dll) CS4 build 315 Adobe Indesign (indl, indp, indt, inx) (ibfs32.dll) CS4 v6.0 Adobe Premier (pproj, prfpset, prexport, prm, prmp, prpreset, prproj, prsl, prtl, vpr) (ibfs32.dll) Pro CS4 314 >>> BREAKPOINT HexWorkshop (pe932d.dll, pe936d.dll, pegrc32d.dll) 6.0.1.460.3 >>> BS.Player BS.player (mfc71loc.dll) latest >>> CAMTASIA Camtasia Studio (cmmp,cmmtpl,camproj,camrec) (dwmapi.dll) <= 6 build 689 >>> CISCO Cisco Packet Tracer (pkt, pkz) (wintab32.dll) 5.2 >>> CITRIX Citrix ICA Client (ica) (pncachen.dll, wfapi.dll) v9.0.32649.0 >>> COREL Corel Draw (cmx,csl) (crlrib.dll) <= X3 v13.0.0.576 Corel PhotoPaint (cpt) (crlrib.dll) <= X3 v13.0.0.576 >>> DAEMON TOOLS DAEMON Tools Lite (mdf, mds, mdx) (mfc80loc.dll) 4.35.6.0091 >>> ETTERCAP <= NG 0.7.3 Ettercap (wpcap.dll) >>> GFI GFI Backup (gbc,gbt) (armaccess.dll) 2009 Home Edition >>> GOOGLE Google Chrome (chrome.dll) latest Google Earth (kmz) (quserex.dll) <= v5.1.3535.3218 >>> HTTRACK WinHTTrack Website Copier (whtt) (mfc71enu.dll, mfc71loc.dll) 3.43-7 >>> INTERVIDEO Intervideo WinDVD (cpqdvd.dll) 5 >>> INTUIT Quickbooks (des,qbo,qpg) (dbicudtx11.dll, mfc90enu.dll, mfc90loc.dll) Pro 2010 >>> IZARC IZArc (all archive formats) (ztv7z.dll) <= 4.1.2 >>> MEDIA PLAYER Mediaplayer Classic mpc (all formats) (iacenc.dll) <= 1.3.2189.0 Media Player Classic (3gp, 3gp2, flv, m4b, m4p, m4v, mp4, spl) (ehtrace.dll, iacenc.dll) <= v6.4.9.x >>> MICROSOFT MS Powerpoint (odp,pot,potm,pptx,ppt,ppa,pps,ppsm,ppsx,pptm,pwz,sldm,sldx) (pptimpconv.dll, pp7x32.dll,rpawinet.dll) – verified on 32 & 64bit 2007 2010 MS Word (docx) (rpawinet.dll) 2007 MS Virtual PC (vmc) (midimap.dll) 2007 Ms Visio (vtx) (mfc71enu.dll) 2003 MS Office Groove (wav, p7c) (mso.dll) 2007 MS Windows Mail (nws) (wab32res.dll) MS Windows Live Email (eml,rss) (dwmapi.dll) latest MS Movie Maker (mswmm) (hhctrl.ocx) <= 2.6.4038.0 MS Vista Backup Manager (.wbcat) (fveapi.dll) MS Internet Connection Signup Wizard (smmscrpt.dll) latest MS Internet Communication Settings (isp) (schannel.dll) latest MS Group Convertor (grp) (imm.dll) latest MS Clip Organizer (mpf) (twcgst.dll) <= 11.8164.8324 (XP SP3) MS Snapshot viewer (snp) (mfc71enu.dll, mfc71loc.dll) 11 Windows Program Group / grpconv.exe (grp) (imm.dll) latest MS Windows Address Book wab.exe/Contacts (wab, p7c, contact, group, vcf) (wab32res.dll) XP, Vista silently patched on Win7 MS RDP Client (rdp) (dwmapi.dll – Win7, ieframe.dll – XPSP3) v6.1.7600.16385 (Win7) v6.0.6001.18000 (XP SP3) MS Visual Studio devenv.exe (cur, rs, rct, res) (NULL.dll) 2008 wscript (jse) (wshfra.dll) XP version MS Windows Media Encoder (prx) (wmerrorenu.dll, winietenu.dll, asferrorenu.dll) 9.00.00.2980 >>> MOZILLA Firefox (htm, html, jtx, mfp, shtml, xaml) (dwmapi.dll) <= 3.6.8 Mozilla Thunderbird (eml,html) (dwmapi.dll) 3.1.2 >>> NETSTUMBLER NetStumbler (ns1) (mfc71enu.dll, mfc71loc.dll) 0.4.0 >>> NVIDIA NVidia Driver (tvp) (nview.dll) latest >>> OMNIPEEK Omnipeek Personal (pkt, wac) (mfc71loc.dll) 4.1 >>> OPERA Opera (htm, html, mht, mhtml, xht, xhtm, xhtl) (dwmapi.dll) <= 10.61 Opera widgets (wgt) >>> ORACLE Java Web Start (javaw.exe) (jnlp) (schannel.dll) 1.6 update 21 >>> PUTTY putty (winmm.dll) 0.60 >>> ROXIO Roxio Photosuite (homeutils9.dll) 9 Roxio MyDVD (dmsd,dmsm) (homeutils9.dll) 9 Roxio Creator DE (homeutils9.dll) <= 9.0.116 Roxi Central (c2d,cue,gi,iso,roxio) (homeutils10.dll, dlaapi_w.dll, sonichttpclient10.dll, tfswapi.dll) 3.6 >>> SKYPE Skype (wab32.dll) <= 4.2.0.169 >>> SWEETSCAPE 010 Editor (bt,hex) (wintab32.dll) >>> TEAMMATE Teammate audit mgmt software suite (mfc71enu.dll) v8 >>> TEAMVIEWER Teamviewer (tvc, tvs) (dwmapi.dll) <= 5.0.8703 >>> TECHSMITH TechSmith Snagit (.snag) (dwmapi.dll) <= 10 build 788 TechSmith Snagit accessories (results) latest TechSmith Snagit profiles (snagprof) latest >>> uTorrent uTorrent (userenv.dll, shfolder.dll, dnsapi.dll, dwmapi.dll, iphlpapi.dll, dhcpcsvc.dll, dhcpcsvc6.dll, rpcrtremote.dll) .torrent (plugin_dll.dll) <= 2.0.3 / <= 2.0.3 >>> VIDEOLAN VLC media player (mp3) (wintab32.dll) <= 1.1.3 (fixed in 1.1.4) >>> WINZIP Winzip ? >>> NULLSOFT Winamp (669,aac,aiff,amf,au,avr,b4s,caf,cda) (wnaspi32.dll, dwmapi.dll) 5.581 >>> WIRESHARK Wireshark (5vw, acp, apc, atc,bfr,cap,enc,erg,fdc,pcap,…) (airpcap.dll, tcapi.dll)
You can view the original list at: http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
great list. Thanks for posting it.
I thought you said you NEVER post to windows threads. Nice to see you here.
What’s the angle on Apple’s security hole? How does this have any relevance to this issue?
Thanks for the assurance. I really like Firefox and never use IE anymore.
Firefox just released the update (3.6.9) to take care of the DLL hijacking problem. It should download and update automatically when you use the browser. You can read about it here: New Firefox Update Fixes Critical Vulnerabilities
Firefox has a "Check for Updates" option under the "Help" menu on Windows.
Thanks. I actually did start having problems in the last few days. Don’t know if it’s related to this or not, but began having constant hardware interrupts—not just the first few minutes, but the entire time I was on the computer.
Using Process Explorer, I noticed wuauclt.exe kept being active. It’s the Windows auto update. I went ahead and killed it, and the hardware interrupts stopped immediately.
I’ll just check for windows updates myself every now and then. The interrupts were slowing my computer down to a crawl, and I just couldn’t take it any longer!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.