Hackers Revealed More Than 300 Windows 10 Executables Are Vulnerable to DLL Hijacking Attack

Personal privacy and security are some of the most crucial and essential subjects that most users neglect. As recently, a security expert has unveiled more than 300 Windows 10 executables, that are vulnerable to the DLL hijacking attacks.

So, we must take the security into account, as in the current time, most of the private data is stored and processed on our computers. 

According to the security reports, a simple VBScript can give anyone unwanted users administrator rights in Windows 10. This is something that is known from a new report by a PwC UK security researcher, Wietze Beukema.

It shows that almost 300 executables in the System32 folder are vulnerable to DLL hijacking attack. This could be done with a simple VBScript, with which some of these EXE files can be used maliciously by going over the UAC or User Account Control. 

Not only that, but even this security flaw also allows the attackers to hijack the libraries as well. That’s why during this exploration process, an attacker causes a Windows executable to load a DLL, with malicious purpose.

More Than 300 Vulnerable Executables Were Discovered in Windows 10

These types of attacks are useful for attackers since they allow the execution of arbitrary code and gain elevated permissions, which gives some control of the attacked system. Now the techniques that were discovered include DLL replacement, hijacking DLL search commands, relative path DLL Hijacking, redirecting DLLs, and WinSxS DLL replacement.

To demonstrate this, Wietze Beukema focused on the libraries in the Windows 10 System32 folder. He copied the winstat.exe process to the download folder and ran the process monitoring tool, procmon.

With this, he was able to check what DLLs the executable is looking for. For all these things, an attacker needs to compile a customized version of DLLs that can be launched by the executable without any problem. 

At the same time, the researcher has contributed a complete list of libraries that are vulnerable to such attacks. These are not mere theoretical objectives since the potential attack has been proven to work, and the list comprises 287 executables and 263 unique DLLs.

Wietze Beukema tested this on Windows 10 64-bit (build 18362.476), and claimed that some of the DLLs would not work on 32-bit Windows. But, you can compile the C file with 32-bit GCC, as it will work well.

Windows 10 is Vulnerable to Its Own Executables and Libraries

Executing these malicious files does not require any additional parameters and the reasons why the researcher suggests the use of VBScript is to be able to create Windows directories with names comprising space to successfully carry out the attack. And this is something that cannot be achieved by traditional means.

Apart from this, there are some methods of prevention have been published, as experts are looking for the activities related to the fake windows app, or adjusting UAC settings to send all the notifications.

This could help prevent these attacks to a great extent, and if you want, then you could also monitor the creation of DLLs as well.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.