Latest Iteration of DLL Search Order Hijacking Circumvents Security Measures in Windows 10 and 11

Latest Iteration of DLL Search Order Hijacking Circumvents Security Measures in Windows 10 and 11

Product and Affected Versions

Microsoft Windows 10 and Windows 11 operating systems

Severity and CVE ID

The severity of this vulnerability is significant due to its potential to enable threat actors to execute malicious code on compromised systems. A CVE ID has not been provided in the shared report.

Vulnerability

The vulnerability is a new variant of DLL search order hijacking, leveraging the trusted WinSxS (Windows side-by-side) folder. By exploiting the classic DLL search order technique, threat actors can introduce malicious DLLs named after legitimate ones into non-standard directories. As a result, when an application is launched without specifying the full path to required DLLs, the malicious DLLs in the WinSxS folder can be loaded instead of the legitimate ones, allowing execution of nefarious code without requiring elevated privileges.

How Attack Works

1. Exploiting DLL Search Order: Threat actors move legitimate system binaries into non-standard directories containing malicious DLLs, mimicking the names of legitimate ones.
2. Directory Search Order: When a process calls for a DLL, Windows searches in a specific order:
   • The directory from which the application is launched
   • Standard Windows directories like “C:\Windows\System32” and “C:\Windows\System”
   • The trusted “C:\Windows\WinSxS” folder (exploited in this attack)
   • Other directories in the system and user’s PATH environment variable
3. Execution of Malicious Code: The malicious DLLs in the WinSxS folder are prioritized due to the search order, allowing execution of the attackers’ code instead of the legitimate system binaries.

Remediations

1. Vendor Patch: Microsoft needs to address this vulnerability with a security update that alters the DLL search order or strengthens validation of DLL loading to prevent malicious DLL execution.
2. Specific Configurations: Configure applications to specify the full path for required DLLs rather than relying on the system’s search order.
3. Monitoring and Detection: Employ security solutions that monitor and detect unusual DLL loading or manipulations within critical Windows directories like WinSxS.

Reference

For further details and updates, refer to official advisories from Microsoft and trusted cybersecurity resources tracking Windows vulnerabilities.