Symantec Patches DLL Hijacking Hole

Tuesday, November 29, 2016 @ 05:11 PM gHale

Symantec fixed a DLL loading flaw in several of its enterprise products.

While these are vulnerabilities, and they do affect software from major vendors, they are, however, seen as a low risk.

Router Backdoor Still Under Attack
Hacking Device That Really Works
Potential of Proactive Cybersecurity: Report
Flaw in Common Computer Chip

The DLL hijacking flaw, tracked as CVE-2016-6590, came to Symantec’s attention by one of its employees, senior threat analysis engineer Himanshu Mehta.

The vulnerability affects Symantec’s IT Management Suite (ITMS) 8.0, Ghost Solution Suite (GSS) 3.1 and Endpoint Virtualization (SEV) 7.x. Updates released for each of the vulnerable products.

The affected products don’t use an absolute path when loading DLL files during boot-up or reboot, Symantec researchers said. This can lead to a rogue DLL file being loaded by the software before the legitimate file, resulting in arbitrary code execution, possibly even with elevated privileges.

For the attack to work, the attacker must be able to plant a malicious file or trick the victim into downloading the rogue DLL to their system.

In Windows, applications can control the location from which a DLL ends up loaded by specifying a full path or by using other mechanisms. However, if the user does not use these methods, the operating system relies on a standard DLL search order to locate the needed file.

In the case of desktop applications, the OS first looks for the DLL in the directory from which the app ends up loaded.

While Symantec has classified the DLL loading issue affecting its products as “high severity”, many organizations, including security firms, see these as low-risk flaws.

Leave a Reply

You must be logged in to post a comment.