New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

This is a problem that should have been solved before either Windows 10 or 11 existed.

 

An adversary needs to write the malicious dll into some directory that is part of the search order. i didn't see it mentioned how they typically do this, but maybe I missed it.

 

An interesting article on a dll hijack, at least one that I thought was safe to post here. A little googling will find some more interesting ones.
Bypassing CVE-2018-15442: Another Case of DLL Hijacking (coresecurity.com)

 

From the Hacker News article;

 

Mainly powershell. Okay thanks for those links.

 

I honestly still don't understand why M$ can't seem to fix this problem, I'm sure they can come up with something? Like whitelisting DLL's in certain folders (all other ones aren't allowed), or simply denying DLL's from being copied into certain folders?

 

Probably because they brush it aside as being a trivial - to themselves at least - concern. Just like they ditch (deprecate) features they feel are now worthless and nobody wants

 

For those interested, have made a blog post here:
https://blog.osarmor.com/370/new-dll-search-order-hijacking-via-system-processes-on-winsxs-folder/

 

Nice! Thanks for that and a big thank you for continuing development on a terrific security utility you provide in OSArmor at a great subscription rate

 

The best thought I have would be to make them specify a path and digitally sign it. But, easier said than done.

 

I don't claim to understand all about this DLL hijacking stuff, but I'm sure MS can come up with something. For example, HitmanPro.Alert has implemented protection for this stuff, and I'm sure it doesn't cover every DLL attack method, but it's better than nothing.

Interesting stuff, thanks! Very cool that OSArmor can block this particular attack.