https://thehackernews.com/2024/01/new-variant-of-dll-search-order.html Also see https://www.securityjoes.com/post/h...closet-unmasking-the-winsxs-hijacking-hideout
An adversary needs to write the malicious dll into some directory that is part of the search order. i didn't see it mentioned how they typically do this, but maybe I missed it.
An interesting article on a dll hijack, at least one that I thought was safe to post here. A little googling will find some more interesting ones. Bypassing CVE-2018-15442: Another Case of DLL Hijacking (coresecurity.com)
I honestly still don't understand why M$ can't seem to fix this problem, I'm sure they can come up with something? Like whitelisting DLL's in certain folders (all other ones aren't allowed), or simply denying DLL's from being copied into certain folders?
Probably because they brush it aside as being a trivial - to themselves at least - concern. Just like they ditch (deprecate) features they feel are now worthless and nobody wants
For those interested, have made a blog post here: https://blog.osarmor.com/370/new-dll-search-order-hijacking-via-system-processes-on-winsxs-folder/
Nice! Thanks for that and a big thank you for continuing development on a terrific security utility you provide in OSArmor at a great subscription rate
The best thought I have would be to make them specify a path and digitally sign it. But, easier said than done.
I don't claim to understand all about this DLL hijacking stuff, but I'm sure MS can come up with something. For example, HitmanPro.Alert has implemented protection for this stuff, and I'm sure it doesn't cover every DLL attack method, but it's better than nothing. Interesting stuff, thanks! Very cool that OSArmor can block this particular attack.
