DLL Hijacking Issue Plagues Products like Firefox, Chrome, iTunes, OpenOffice

Share this…

Oracle patches Java installer against DLL hijacking issue. Oracle has released new Java installers to fix a well-known security issue (CVE-2016-0603) that also affects o plethora of other applications, from Web browsers to antivirus products, and from file compressors to home cinema software.

The problem is called DLL hijacking (or DLL side-loading) and refers to the fact that malware authors can place DLLs of the same name in specific locations on the target’s filesystem and have it inadvertently load the malicious DLL instead of the safe one.


DLL hijacking is a very well-known issue

This type of attack is very old and has been known to many software vendors, and especially to malware authors, who sometimes prefer it because it allows them to hijack legitimate applications and not to rely on convincing users to double-click and execute their own malicious binary.

If you’ve been keeping an eye on infosec sites like Packet Storm, SecLists, or Security Focus, German security researcher Stefan Kanthak has been quite busy testing the installers of various software products against this vulnerability.

Here’s a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes.

Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7’s ScanNowUPnP, Kaspersky, and F-Secure.

Oracle was the first one to take his report seriously, patched Java and VirtualBox

According to a blog post from last Friday, February 5, Oracle decided to release new versions for its Java 6, 7, and 8 installers that protect users from this type of attack.

“Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97 or 8u73 for later installation should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later,” said the company in its announcement.

Additionally, besides the updates to Java SE’s installer, the company also addressed this very same issue (CVE-2016-0602) in its VirtualBox VM installer, during its quarterly security update train last month.

Since it’s pretty hard to track all bug reports to the various vendors affected by this issue, we’ve sent an email to ask Mr. Kanthak if other vendors besides Oracle have addressed this issue until now. We’ll update the article with his response.