Saturday, February 8, 2025
Homecyber securityZero-Day Vulnerabilities in Microsoft Sysinternals Tools Enable DLL Injection Attacks on Windows

Zero-Day Vulnerabilities in Microsoft Sysinternals Tools Enable DLL Injection Attacks on Windows

Published on

SIEM as a Service

Follow Us on Google News

A significant zero-day vulnerability has been uncovered in Microsoft Sysinternals tools, posing a severe risk to Windows systems.

These widely-used utilities, essential for IT administrators and developers, are now susceptible to DLL injection attacks due to flaws in their dynamic link library (DLL) loading mechanisms.

The vulnerability allows attackers to execute malicious code, potentially leading to full system compromise.

DLL Injection via Search Order Hijacking

The vulnerability lies in how Sysinternals tools, such as Process Explorer, Autoruns, and Bginfo, load DLL files.

Microsoft Sysinternals
DLLs loaded by a process can be displayed using “Listdlls”:

Instead of strictly accessing trusted system paths, these applications often prioritize the current working directory (CWD) or other predefined paths.

This behavior enables attackers to place malicious DLLs in the same directory as the executable file.

According to the report, when the application is launched, the rogue DLL is loaded and executed without detection.

For instance, an attacker could place a malicious file cryptbase.dll alongside a legitimate tool like Bginfo.exe on a shared network drive.

When a user runs the application from this location, the malicious DLL is loaded, executing the attacker’s code within the application’s process.

This technique can bypass traditional security measures and escalate privileges on the target system.

Microsoft’s Response

Microsoft classified it as a “defense-in-depth” issue rather than critical, citing that it does not meet their threshold for immediate servicing.

Despite updates to some Sysinternals tools in December 2024, the core issue remains unresolved.

Administrators and users are advised to implement mitigation strategies to reduce exposure:

  • Avoid running tools directly from network storage: Copy executables to a local path before execution.
  • Verify application integrity: Use security solutions that ensure only trusted DLLs are loaded.
  • Monitor for vulnerabilities: Regularly review environments for affected tools and apply available updates promptly.

This discovery underscores the risks associated with trusted tools becoming vectors for attacks.

Sysinternals tools are often used for malware analysis and system diagnostics; ironically, their vulnerabilities now make them potential targets for exploitation.

The incident highlights the importance of secure coding practices and stringent validation of DLL loading paths in software development.

As attackers increasingly exploit such flaws, organizations must remain vigilant and adopt proactive measures to safeguard their systems.

While Microsoft has yet to release a comprehensive fix, users are encouraged to stay informed and employ best practices to mitigate potential threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...