Georgi Guninski's blog

DLL hijacking: 21 years old and still alive

Trustworthy defense in depth: DLL hijacking

Wikipedia on DLL hijacking

Due to a vulnerability commonly known as DLL hijacking, DLL spoofing, DLL preloading or binary planting, many programs will load and execute a malicious DLL contained in the same folder as a data file opened by these programs.[11][12][13][14] The vulnerability was discovered by Georgi Guninski in 2000.[15] In August 2010 it gained worldwide publicity after ACROS Security rediscovered it again and many hundreds of programs were found vulnerable.[16] Programs that are run from unsafe locations, i.e. user-writable folders like the Downloads or the Temp directory, are almost always susceptible to this vulnerability.

Our original advisory is from Mon, 18 Sep 2000

The DLL hijacking is CVE-2000-0854

It was known since 2000-09-19 that third party programs are vulnerable too, e.g. Bugtraq: Exploit using Eudora and the Guninski hole

The nimbda worm was released on the same day and used the vulnerabilities in the advisory.

Searching the web returns many results since 2020 and a site Latest DLL Hijack news.

In other news from 2020 Almost 300 Wi ndows 10 executables vulnerable to DLL hijacking

Appears to us the vulnerability is so hard to fix it will live forever ⬛.

Opinion: Governments don't want IT security, they want to have cyber weapons

Support for the above claim:

• In 2015 exploits of NSA were leaked by Shadow crew. Search terms: nsa leak shadow crew. E.g. see NSA Hacked? 'Shadow Brokers' Crew Claims Compromise Of Surveillance Op
• From 2015 search terms "hacking team" leak, E.g. Hacking Team Leak Shows How Secretive Zero-Day Exploit Sales Work

It provides both the exploits and RCS to government intelligence and law enforcement agencies around the world, and has come under attack for selling to repressive regimes, who've used them to target political activists and dissidents. But more interesting than the fact that the company possessed zero days---this was already known---is the correspondence around how Hacking Team acquired these valuable tools, prized equally by criminal hackers and government intelligence agencies.

• From 2021: Search terms pegasus spying scandal. The allegations that spy software known as Pegasus may have been used to carry out surveillance on journalists, activists - and even perhaps political leaders - highlights that surveillance is now for sale.

If governments wanted security, they would report the bugs to the vendors.

Like in traditional warfare, cyber warfare requires weapons. It is very hard to construct physical nuclear bomb, but to construct cyber nuclear bomb requires just skills and zero budget. Some drunk skilled kid may do a lot of damage in the real world.

Who watches the watchers?