Security Watch

False Sense of DLL Security

Dynamic link library vulnerabilities have long been the bane of Windows IT pros existence, especially this year. As recently as August, Microsoft issued workarounds and guidance on DLL flaws and later, even patched the issue.

Well it's not over yet.

According to this recent entry from the Acros Security Blog, Windows applications remain vulnerable to DLL hijacking, even on patched systems. The research shop says "DLL planting and DLL loading" are still possible because of the sporadic and erratic way Windows loads DLLs. Such attacks, it should be pointed out are highly technical in nature and require detailed and intimate knowledge of Windows directories and binary code. Perhaps that's the very reason that Windows IT pros should take notice.

Microsoft Mulls Encrypting Bing
Last week we talked about Firesheep, a tool that allows its users to spy on browser sessions on an open wifi network. Mostly Firesheep is designed to work with a user during a Firefox session. So, where does Microsoft come in?

The blogosphere is ablaze with assertions that Redmond-owned Windows Live is among the sites that can be hacked with Firesheep. Specifically, one blogger who believe this to be true is Errata Security's Robert Graham.

Graham as well as other security bloggers, such as Eric Bulter, who created Firesheep, have made assertions about the Firesheep presentation being a "game changer," and prompting the need for a secure sockets layer and other types of encryption on Microsoft-related sites.

So far Firesheep is only designed for Firefox browsing sessions, so IE users don't have the same concerns for now. But a NetworkWorld blog claims that the managers of Redmond's Bing search engine are looking to add SSL to it. The blog quotes a Microsoft spokesman: "The security and privacy of our customers is very important to us at Bing. We are looking at SSL and other technologies for future releases of Bing."

The thinking here seems to be that it's only a matter of time before a browser snooping technology that affects IE surfaces or before Microsoft-related sites accessed during Firefox sessions come under greater risk.

Google Serious About Mobile
Google's Android Smartphone, with its hip OS, is outselling Apple's much lauded and popular iPhone. And Google is taking it a step farther in the one-upmanship game with a comprehensive program for mobile security. According to the Google Enterprise blog, Android users will now be able to access mission critical files with built-in administrative settings.

Among these capabilities are those found previously in corporate laptops. These include the ability to:

  • Remotely wipe all data from lost or stolen mobile devices
  • Lock idle devices after a period of inactivity
  • Require a device password on each phone
  • Set minimum lengths for more secure passwords
  • Require passwords to include letters and numbers

It's good to hear Google is getting ready for inevitable security problems that could leave them and their customers vulnerable in the enterprise.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Reader Comments:

Thu, Nov 18, 2010 Tom

Microsoft should provide full session encryption for it's Live platform such as Hotmail (not just for authentication). Not having such encryption not only opens the door for security issues, but also for plenty of negative advertising by competitors.

Thu, Nov 4, 2010 Dan Iowa

This whole dll security issue seems to be a bit of security theater. Sure it's something to be aware of, but really? How much more security is there? Let's say you stop Windows from loading dlls from "relative paths" altogether. All you've done is narrow the target location for replacing the binaries. A dll is little different from an exe, or any other file that is given control by the OS. "Binary Planting" is really just a specialized form of "Binary Substitution". The real protection is in the ACLs on the folders where the binaries can be loaded from. If bad guys can create or overright binaries in those locations, then they can inject code. It's just that simple. If you execute the code just by the nature of it being there, then there's the potential that you'll execute malware. Doesn't matter what OS. They are all vulnerable to that. Specifying fully qualified paths, or using some tool to monkey with where an OS will search for binaries is not going to do much of anything to change that.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.