Font Size Change

HOMEIT SecurityMeasures for Information Security Vulnerabilities[Security Alert] Caution when using Windows applications
- Be careful where you save the downloaded application programs -

PRINT PAGE

IT Security

[Security Alert] Caution when using Windows applications
- Be careful where you save the downloaded application programs -

Last Updated: November 30, 2017

Fifty-three cases of the DLL hijacking vulnerability in Windows applications have been published on JVN during the period from April to the end of August, 2017. The number increased sharply compared to that of the previous quarter (January – March 2017: 4 publications). DLL hijacking vulnerability is in Windows applications. Considering the prevalence of Windows, “fifty-three” can be just a tip of the iceberg and there could be plenty of Windows applications having the same vulnerability out there. Besides, it is hard for users to check whether a Windows application has this vulnerability or not. That is why we, IPA, have published this security alert to provide the workaround and encourage users to use fixed Windows applications. It is difficult to exploit this vulnerability and for now we have not identified any incidents where this vulnerability is exploited.

What is the DLL hijacking vulnerability?

Those application programs running on Windows OS search for Dynamic Link Libraries(*1) in the same directory as the application programs reside to use, before searching system directories.

If there are malicious DLLs in the same directory as the Windows application programs reside and all of the following conditions are met, arbitrary code may be executed.

Conditions

  • A Windows application program loads a DLL when it is executed.
  • A Windows application program and malicious DLL are in the same directory like the “download directory”(*2).

Due to the widespread use of Windows, the Windows applications which may have this vulnerability are assumed to be also widely circulated. Moreover, it is hard for users to check whether a Windows application has the vulnerability or not. That makes it difficult for users to make sure they are using Windows applications safely.

(*1)DLL(Dynamic Link Library): DLL provides common functions independent of applications. It makes applications unnecessary to have common functions.

(*2)It depends on the settings of the browser and downloaded files are usually stored in the “download directory” unless the settings are changed.

Attack Scenario of DLL Hijacking

1) Common Circumstancing When Downloading Files

Downloaded files remain in the download directory unless the user deletes them. It makes difficult for the user to find unintentionally downloaded malicious DLLs buried in the great number of files in the download directory.

2) Downloading an application

An application is downloaded to the download directory by the default settings.

3) Execution of the application

A malicious DLL is loaded when the vulnerable application is executed.

Kinds of applications that may be affected

  • Installers
    Software which installs an application
  • Self-extracting archives
    Executable programs containing compressed programs or data with the routines to decompress them
  • Portable applications
    Executable software without need of an installer

Solutions

  • Do Not download Windows applications to the download directory
    Create a new directory in advance and download applications to that directory. Or copy the programs to other trusted directory or the newly-created temporary directory.
  • Check directories to which Windows applications are downloaded
    Confirm that no untrusted files unlisted in “ReadMe” or the file list in the manuals exist in the same directory as the applications . Delete untrusted files if found.

Other Information

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: