Blogs

Brand New0-day Exploit The World Is Going To End Yet Again

This blog entry was originally written around August 2010 for the Authentium blog:

Sigh… The latest “exploit” that affects hundreds of programs and will be the end of the world as we currently know it is actually a well documented feature of Windows. It has actually been around since the DOS days.

In the old days we used to call these Companion viruses. It worked by using a different file extension that will be executed before the real executable. For example if you had a “gwbasic.exe” you would create a “gwbasic.com” anywhere in the path and if the user just typed “gwbasic” he would execute the “gwbasic.com” and not the “gwbasic.exe”. If the author of the “gwbasic.com” was ‘nice’ he could execute the “gwbasic.exe” so as to make the existence of the “gwbasic.com” file harder to detect.

This brand new 0-day exploit also uses the search path of Windows. In this case the search path for dynamically linked libraries. If an application needs to load a library dynamically then it uses a predetermined and very well documented search order to find the required libraries. This has been well documented for at least a decade.

How this new and amazing exploit works is that if some malicious or not so malicious person were to drop a library with the required name into the correct location then this library will be loaded instead of the expected one. We have seen malware exploiting this for several years. Developers call it DLL hell.

If “security researchers” are this desperate to publish exploits then it probably is a good sign. Either everybody is tired of yet another Adobe Reader exploit or it is getting harder to find exploits.

Is this really an exploit? Is this something that we should be detecting or Microsoft should be patching?

As I stated this is known and documented behavior of the Microsoft Operating systems. Unix does things a bit differently for good reasons. It definitely is not good design, but it may be problematic to fix.

It is possible to avoid being hijacked like this, but it does take a bit of work on the side of the developer. It is possible for Microsoft to fix it, but it will probably break the majority of software that runs on Windows. Should it be fixed? Probably, but Microsoft probably can’t without causing major problems.

Should we detect the exploit? That is harder. Firstly it is not an exploit. It is just the operating system doing what it should be doing. We will definitely detect any malware using this technique to spread or escalate permissions.

In the end I think this 10+ year old 0-day “exploit” (oxymoron?) is much ado about absolutely nothing new.