igor - Fotolia
Symantec reported a major dynamic link library (DLL) code vulnerability that affects three of its enterprise security...
products. DLL code vulnerabilities are usually considered to be lesser threats to enterprises. What is the flaw, and why has Symantec labeled it as a severe vulnerability?
A flaw that allows attackers to load malicious DLL files was found by one of Symantec's senior threat analysis engineers in its IT Management Suite 8.0, Ghost Solution Suite 3.1 and Endpoint Virtualization 7.x products. According to Symantec, the affected products don't use an absolute path when loading DLL files during the boot process.
A DLL has code and data that can be used by multiple applications simultaneously. Just like executable files, DLL files can contain code, data and resources, such as images, but they can be used by more than one program at the same time.
There are many benefits to using shared libraries, including modularity, code reuse, reduced disk space and efficient memory usage and load times. However, if an application dynamically loads a DLL without specifying a fully qualified path to its location, it opens up the possibility of a DLL preloading attack when Windows attempts to locate the DLL file by searching a well-defined set of directories. If an attacker can copy a malicious version of the DLL file into one of these directories, the application may load and execute the malicious DLL file instead of the authorized file that it was expecting. This can enable an attacker to execute code while posing as the user who is running the application. When the application is being run as administrator, this could lead to a local elevation of privilege.
Although many experts see this type of malicious DLL vulnerability as low risk, Symantec classified the issue, listed as CVE-2016-6590, as high risk based on the new Common Vulnerability Scoring System's (CVSS) scoring methodology, which is a mathematical approximation of all possible metric combinations ranked in order of severity.
The fact that this vulnerability can lead to code execution is the main reason it scores highly, even though an attacker would first need to successfully trick an authorized user to visit a malicious website or click on a malicious email link to download the malicious DLL.
Microsoft has provided advice for securely loading DLLs for several years, so it's disappointing that Symantec didn't follow this best practice. Symantec has released updates to address the problem.
Learn about the flaws in the LibTIFF library that could lead to remote code execution
Find out how to spot and eradicate obfuscated macro malware
Discover what CVSS version 3.0 means for vulnerability scoring
Dig Deeper on Threat detection and response
Related Q&A from Michael Cobb
As bitcoin use increases, so too have the number of cyber attacks on cryptocurrency exchanges and wallets. Learn how to keep bitcoin use secure. Continue Reading
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading