Now It's Apple's Turn to Face the DLL Threat
FREMONT, CA: Dynamic Link Library (DLL) hijacking is back now, to haunt Apple’s Mac OS X after tormenting Windows more than a decade ago.
Peter Wardle, Research Director at Synack –a security intelligence company –has said that DLL hijacking can be used to bypass OS X’s multiple layers of security and he presented his research on the topic, at a recent security conference.
DLL highjacking is a process by which malicious code is injected into an application through a malicious DLL with the same name as a DLL used by the application; the application’s vulnerability to highjack depends on the referencing of DLLs. Sean Michael Kerner, for eWeek reports that Wardle had submitted the bug report to Apple and did not receive any response initially but resubmission of the same was rewarded with an automated one.
Wardle said that Apple’s built-in anti-malware technology –Gatekeeper –was no exception to the threat. He informed that the Python script written by him to test the vulnerability of applications, had found over 150 binaries susceptible to the threat of dylib highjacking attacks. Speaking on the nature of the threat, he said that they are stealthy and could take advantage of functionality and could make it an arduous task to strive against them.
Further, he said that the threat could be made persistent and would initiate every time the user boots the system. Infecting the code was possible as some software was downloaded over HTTP, instead of HTTPS which is considered more secure.
In addition to this, he also said that this attack was tested against all Mac products and none of them managed to detect the threat. "Apple could change the dynamic loader such that when a signed application is loaded, it will only load DLLs that are signed by the same company or developer," Wardle said. "For users, there is no reason why companies should have software downloads over HTTP, as they are trivially easy to intercept." he added.
By James Seevers, CIO & GM, Toyoda Gosei
By Bill Krivoshik, SVP & CIO, Time Warner Inc.
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Alberto Ruocco, CIO, American Electric Power
By Bruce. D. Smith, SVP & CIO, Information Systems, Advocate...
By Adrian Mebane, VP-Global Ethics & Compliance, The Hershey...
By Graham Welch, Director-Cisco Security, Cisco
By Michael Watkins, Senior Product Director, Global Knowledge
By Bernd Schlotter, President of Services, Unify
By Patrick Hale, CIO, VITAS Healthcare
By Steve Bein, VP-GIS, Michael Baker International
By Jason Alan Snyder, CTO, Momentum Worldwide
By Mike Morris, CIO, Legends
By Louis Carr, Jr., CIO, Clark County
By Bill Dow, SVP and General Manager of Business Solutions,...
By Jim Whitehurst, CEO, Red Hat
By Darren Cockrel, CIO, Coyote Logistics, a UPS Company...
By Nathan Johnson, SVP and CIO, Werner Enterprises [NASDAQ:...
By David Tamayo, CIO, DCS Corporation
By Neil Hampshire, CIO, ModusLink Global Solutions, Inc....