Unpatched DLL Bugs let Hackers Exploit Windows 7 and IE9, Says Researcher - Microsoft Investigating Claims

Windows and Internet Explorer 9 (IE9) can still be exploited, warned Slovenia-based Acros Security company. Microsoft confirmed that it's investigating the claims.The IE9 attack works even on Windows 7, where the browser runs in a "sandbox" of sorts, an anti-exploit technology designed to block hackers from infecting a PC. "[The attack works] against Internet Explorer […]

Windows and Internet Explorer 9 (IE9) can still be exploited, warned Slovenia-based Acros Security company. Microsoft confirmed that it's investigating the claims.

The IE9 attack works even on Windows 7, where the browser runs in a "sandbox" of sorts, an anti-exploit technology designed to block hackers from infecting a PC. "[The attack works] against Internet Explorer 9 in protected mode on Windows 7 ... without any suspicious double-clicks or security warnings," Across Mitja Kolsek wrote.

"We'll reveal how IE8 and IE9 can be used on Windows 7, Vista and XP for attacking users without any security warnings, even in 'Protected mode,' and how to remotely make many seemingly-safe applications, for example, Word 2010 and PowerPoint 2010, vulnerable," said Kolsek in a email.

The attack class called "DLL load hijacking" by some, but dubbed "binary planting" by Acros, jumped into public view last August when HD Moore, the creator of the Metasploit penetration hacking toolkit and chief security officer at Rapid7, found dozens of vulnerable Windows applications. Moore's report was followed by others, including several from Kolsek and Acros.

Many Windows applications don't call DLLs using a full path name, but instead use only the filename, giving hackers a way to trick an application into loading a malicious file with the same title as a required DLL. If attackers can dupe users into visiting malicious Web sites or remote shared folders, or get them to plug in a USB drive -- and in some cases con them into opening a file -- they can hijack a PC and plant malware on it.

In a blog post, Kolsek outlined still-available DLL load hijacking attack vectors, including one that works against any copy of Windows XP, another that can be used to compromise PCs running the newer Vista or Windows 7 operating systems, and a third that can be exploited through Internet Explorer 9 (IE9), Microsoft's eight-week-old browser.

At Hack in the Box, Kolsek intends to demonstrate exploits of DLL load hijacking bugs in Windows using malicious Word 2010 and PowerPoint 2010 documents, and against IE9.

[Source: Across Security, Via: ComputerWorld]