Tag Archives: dll hijacking

Newest Vulnerability in Windows Computers, an Emerging New Class

Computer Security, ,

If the expression “opening a can of worms” means anything to you, you’ll start to get the idea on what’s happening with this subject. Or maybe Pandora’s box is a better metaphor. At any rate, It seems that a vulnerability disclosed lead to another, and another. As predicted in a recent article, these are now surfacing. And one of the immediate problems is that is not only having to do with the Windows operating system per se, but with programs used in Windows. Many of them.  Details on this new class are still sketchy, since the idea is to get patches developed before revealing too much about the vulnerability.

About a week ago a Slovenia based security company called Acros published an advisory regarding a vulnerability related to iTunes, that would allow a remote attacker to take control of the attacked computer. Acros has reportedly been working on analyzing this type of vulnerabilities since late 2008. A tool was developed to spot this vulnerability in many Windows based programs – over 200 programs were tested, and surprisingly, about 90% were found potentially vulnerable to the exploit. This testing had gone unpublished until a few days ago.

Hours after Acros published the above mentioned advisory, HD Moore, the Chief Security Officer of Rapid7, a US based security company, published the fact that he had discovered about 40 Windows based programs to be vulnerable to this new exploit. Then Acros decided to let the big cat out of the bag and next day they expanded the list of 40 to over 200. And then over this past weekend, academic researcher Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis also joined the party with the research paper he and Zhendong Su had published earlier this year on the  subject. Then just yesterday Microsoft published a security advisory on the subject. That’s the time track so far when it comes to this new vulnerability class.

What to do

Patching this vulnerability is a bit of a catch-22 because the nature and reach of this vulnerability is so wide, that if Microsoft were to issue a single patch that would handle the vulnerability, it would break scores of legit applications. Plus the vulnerability lays mainly in the lax way the programs have been coded, so the programs creators are the ones that need to issue individual patches. For these reasons mitigating actions are all that can be done for now. One of the mitigating actions that can be taken is stopping and disabling the service that allows for a remote (over the internet) exploit of this vulnerability (the webclient service). Disabling this service will have no impact on most users machines as far as functionality is concerned.

To stop and disable the webclient service:

1a. for Windows XP users, click on start, All Programs, Run, type “cmd” (without quotation marks) and press enter.

1b. For Vista and 7 users, click on start, type “cmd” in the search box, go to the top of the list, right click on cmd.exe and select Run as Administrator. Click on continue if prompted.

2. Now let’s type a couple of commands in the black box that showed up.

First let’s stop the service. Type (or copy and paste):

SC stop webclient

And press enter.

Now let’s disable it so the service doesn’t restart automatically next time you reboot your computer. Type (or copy and paste):

SC  config webclient start= disabled

And press enter.

(Notice the space after the equal sign in the above command. That’s mandatory.)

Now you can close the command prompt window where you typed all the above.

A well configured firewall will also help mitigate the effects of this problem. Incoming and outgoing ports 139 and 445 need to be blocked. (Port: In computer networking, specific channels are used to send and receive data. These are called ports and are numbered from 1 to 65536). Be aware that some functions like network file sharing, and printing over a network might be affected by blocking these ports. IF you block this ports and afterwards notice a loss of network connectivity, revert the changes.

Another action that can be taken is to close the door to the possibility of unauthorized programs execution, with programs like AppGuard by BlueRidge Networks. This has been covered before in other computer security articles.

If you have any questions on how to do any the above, I’ll be happy to answer them.