new windows dll hijacking vuln announced

Quick note about a new Windows DLL vulnerability whose details have been announced. The best place to start investigating this is from HD Moore’s Metasploit blog post. It is worthwhile to note that most organizations block outbound SMB ports at the firewall. Internal attack is still quite possible, and so is being redirected to an external WebDAV instance. Thankfully WebDAV is not common out in the wild, so that scenario is slightly less of a risk, but still it might be useful to block unnecessary http methods like PROPFIND on your web filters. Unlike my shop which is a heavy Windows .NET dev shop, it might be useful to include all .dll files in your network share content scans. You should prefer to know what’s out there and what’s new if that isn’t too much of a burden (it is when my devs have innumerable dll files out on my network).

While we don’t have a huge plethora of worms and remote attacks these days, the number of attacks available, e.g. to pen testers, attacking users directly and actively is crazy high. Convince a user to do/go/open x and you’re in.