Microsoft just released Security Advisory 2269637, warning of an entire class of new zero-day attacks that take advantage of the way many popular Windows programs are written. Perpetrators -- likely to appear in the next few days -- won't take on Windows directly. Rather, they'll rely on how Windows finds and assembles pieces of programs to get their nefarious code to run.
Known variously as "DLL hijacking," "DLL preloading," or "binary planting" attacks, I tend to think of the approach as a "path exploit." Back in the early days of Windows -- and DOS before it -- the sequence of DLL search locations was defined by something called a Path variable. That's why I call it a path exploit.
[ Get your systems up to snuff with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
There's a lot of hand-waving and high-falutin' programming terminology floating around, but at its core the attack goes like this: You have a program called, oh, Senuti.exe and you run it all the time -- it's a big-name program from a major manufacturer. Whenever you double-click on a file with a name that ends in .sen, say, the Senuti.exe program kicks in and loads the .sen file. Easy.
The guys in black hats have been watching Senuti.exe and they know that every time Senuti.exe runs, it fires up a program called, let's say, Whizbang.dll. The guys in black hats also know that the Senuti.exe program doesn't specify exactly where Windows should find Whizbang.dll. Instead, they've discovered that the Senuti program just calls "Whizbang.dll" and lets Windows find it. That's a common (but not recommended) programming practice.
