7 responses to “DLL hijacking”

1. 

   Randall August 26th, 2010 at 02:27

   Woody -

   Some more info here or on Tech Watch would be helpful. Specifically, it sounds like this is an issue for local file access (eg, USB flash drive) but NOT for files you see using your web browser.

   That is – when my browser views an html or jpeg, there is not a mounted drive at the Internet URL and thus my browser does not put that URL in my PATH for dlls.

   Similarly for PDF or media – even though Reader plug in or QuickTime opens a file on the web through the browser, that source file is not actually a mounted file system and thus not part of my PATH.

   If that is accurate, then web browsing is not a problem, and downloading files is not a problem (because the download is just the PDF or mp3, etc., and does not include the bad DLL).

   Or am I missing something here?

   Thanks
   Randall

2. 

   rc primak August 26th, 2010 at 22:16

   So now that we know all of this, what do we do? And can these rogue .dlls be detected and removed? If not, what else can a non-technical end-user do to protect ourselves?

   I use a lot of free software, so this may be more of a problem for me than for those who use the more frequently updated commercial titles. Will Secunia PSI start flagging programs which do not specify the path?

3. 

   woody August 26th, 2010 at 22:20

   @Randall -

   That is accurate, I believe. The online problem comes when, e.g., you download a ZIP file containing both a doc and a dll. Depending on how you unzip the file, you may or may not trigger something.

   Far more vexing is network shares or USB drives.

4. 

   woody August 27th, 2010 at 22:11

   @RC -

   Damn good question. I should have a new post on Infoworld Tech Watch in the next hour, with two novel ideas – at least, I haven’t seen them mentioned anywhere.

   Chances are good Secunia will only flag programs that have new versions.

5. 

   rc primak August 29th, 2010 at 12:34

   Woody, the Zipped Folder downloaded from the Internet would seem to be the greater issue. For example, I download a non-installed application from Nir Sofer’s site (or someplace a bit less trust-worthy), and Windows offers to Extract All to wherever I designate. If there were a rogue DLL in that Zipped Folder, I would be in deep trouble. Guess I should stick with Installed Programs from now on?

   At least with a local Flash Drive, I can do as you recommend in your more recent Tech Watch Article, and move the desired file(s) to my Desktop before messing with anything. Not always an option when downloading Zipped non-installed applications from web sites.

6. 

   woody August 30th, 2010 at 17:47

   @RC –

   See my reply to the other question.

   This one gets even more complicated. Say you have a program like 7Zip that lets you look inside ZIP files, without actually unzipping them. If you double-click on a file inside the (zipped) file, and the program that handles that file is smart enough to reach inside the zip using 7zip, yes, you can get zapped.

   I don’t know of any programs that are smart enough to do that with 7zip, but there may be some.

7. 

   rc primak August 30th, 2010 at 23:33

   And now that you mention the 7-Zip Explorer vulnerability, I am sure the hackers are busy at work devising a way to do just that!