Windows apps may succumb to DLL exploit

Hundreds of Windows applications could be at greater risk now exploit code for a dynamic link library (DLL) hijack vulnerability is openly available.

Code for launching an attack has been added to Metasploit, an open-source hacking toolkit. Also, an auditing tool that checks for and records information about vulnerable applications is now available.

Security experts have claimed it will not be long before attacks start to appear, but it does require a chain of events to work.

If an attacker could trick a user into opening a harmless executable file from the current directory, it could load a corrupted DLL created by the attacker and stored in the same directory. This directory could be a USB drive, an extracted archive or a remote network share.

The vulnerability has been known about for well over a decade but it has become more dangerous as removable storage and web-based applications have appeared. Originally, the DLL would had to have been stored on the local system.

The reason it had not been fixed was it was seen as bad programming rather than a Windows flaw. Microsoft did make changes, however, to the default DLL loading order so that other directories were checked for the file first rather than the current directory.

Microsoft issued an advisory on Monday confirming there was a security issue and offering advice. It has created a special registry key that programs can access to eliminate the problem. The company will also be looking for vulnerable applications and helping developers to eliminate risks.