•   
  •   
  •   

Technology Numerous Windows 10 applications susceptible to DLL hijacking

18:55  29 june  2020
18:55  29 june  2020 Source:   zdnet.de

Windows 10 for insiders: New build in the Fast Ring, fresh ISO files

 Windows 10 for insiders: New build in the Fast Ring, fresh ISO files © Provided by Martin Geuss (Blog Dr. Windows) Windows Insider Program On Wednesday evening Microsoft released a new version for the insiders in the Fast Ring: Build 19624 does not bring any innovations, but a lot of bug fixes. It is the fourth consecutive build that does not test new functions. If you still want to have a look at the changelog, you can do it as usual in the Windows Blog .

Windows 10 1809 Oktober-2018-Update (Bild: Microsoft) © DEFAULT_CREDIT Windows 10 1809 October 2018 update (Image: Microsoft) A researcher finds almost 300 executable files in the System32 folder alone, to which a specially designed DLL file can be pushed under. He publishes a list of the files on GitHub. However, there are restrictions on his attack.

Almost 300 internal Windows 10 applications are apparently susceptible to DLL hijacking. Bleeping Computer warns of this on the basis of a report by security researcher Wietze Beukema, who works for PwC Great Britain. Under certain circumstances, a simple VB script should suffice so that an unauthorized user can secure administrator rights and thus completely undermine user account control.

Windows 10: Fast Ring changes channel - DNS over HTTPS for insiders in the test

 Windows 10: Fast Ring changes channel - DNS over HTTPS for insiders in the test © Provided by Martin Geuss (Blog Dr. Windows) Windows Insider Program Build 19628 is now available for download for Windows Insiders in the Fast Ring . It brings a functional innovation and a "track change". If the Fast Ring Builds previously came from the RS_PRERELEASE channel, they now come from the "MN_RELEASE" channel.

Windows 10 1809 Oktober-2018-Update (Bild: Microsoft) © Provided by ZDNet Windows 10 1809 October 2018 update (Image: Microsoft) The researcher found the executable files exclusively in the System32 folder of Windows 10 . Attackers are said to be able to inject these legitimate EXE files into a program library (DLL file) of their choice, which can be harmful. In his blog, the researcher also describes various DLL hijacking techniques that could be used here.

Using the winstat.exe process as an example, Beukema explained its procedure. He copied the file to the Windows download folder and ran it from there. With the monitoring tool Procmon, he then monitored the DLL calls of the EXE file. He then replaced all the DLL files listed with specially prepared versions. This allowed him to find out which DLL files were not only called but also executed and are therefore susceptible to DLL hijacking.

Windows on ARM: 64 bit emulation apparently making progress

 Windows on ARM: 64 bit emulation apparently making progress © provided by Martin Geuss (Blog Dr. Windows) Windows on ARM The emulation of classic 64 bit applications under Windows on ARM apparently making progress. It would be an important building block for the platform and would largely close the remaining software gaps. So far, only 64 bit programs that have been compiled natively have been running under Windows on ARM, but so far there are very few of them.

However, according to the researcher, an attacker would have to ensure that his specially designed DLL file was loaded without problems. Tools such as DLL Export Viewer are helpful, which provide insights into the structure of a program library and list all external functions. These could then be duplicated for a DLL hijacking exploit.

In this way, Beukema classified a total of 287 executable files in the System32 folder and 263 different DLL files as vulnerable. He published a complete list of on GitHub .

However, there are restrictions. For example, only executable files that do not need any arguments should be suitable. According to the researcher, one should also avoid applications with advanced graphical interfaces or functions for error reporting. DLLs written in C ++ are also not suitable.

Beukema considered DLL files to be particularly dangerous because they are susceptible to hijacking and at the same time are given administrator rights without triggering user account control. Microsoft is said to have granted a total of 35 executable files with this privilege in order to reduce the number of queries from user account control and to increase acceptance among users. Restrictions that are intended to prevent abuse of this privilege can also be avoided, according to the researcher.

WEBINAR webinar recording: To new heights with SkySQL, the ultimate MariaDB Cloud

In this webinar we will introduce SkySQL, explain the architecture and explain the differences to other systems such as Amazon RDS. You will also get an insight into the product roadmap, a live demo, and how to get SkySQL up and running in minutes.

Register now and watch the webinar recording.

Amazon Prime Video: New app for Windows 10 should start soon .
© Provided by Dr. Windows Amazon Logo Even if Microsoft no longer pays particular attention to its UWP platform and its commitment to its own applications continues to decrease, other developers continue to follow suit and thus bring quite prominent new entries to the Microsoft Store. This also includes Amazon, which will soon add a second universal app for its own streaming service Amazon Prime Video after Alexa.

—   Share news in the SOC. Networks
usr: 0
This is interesting!