AdwCleaner 8.0.1 Fixes DLL Hijacking Vulnerability

DDE_Server

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Malwarebytes has released AdwCleaner 8.0.1 and in addition to various improvements to the tool's scanning engine, it also fixes a DLL hijacking vulnerability.

The AdwCleaner malware and adware cleaning program has had a DLL Hijacking vulnerability in versions older than 8.0.1, which was released yesterday.

For those not familiar with a DLL hijack vulnerability, it is important to give a little background on how DLLs are loaded by programs.

When a program starts it will load various DLLs that it needs to operate. If the developer did not specify the path to the DLL, the program will attempt to load the DLL from the current directory, and if it does not exist, it will check other folders in the user's path.

This allows an attacker or malware to create a malicious DLL with the same name as one that AdwCleaner normally loads. This malicious DLL is then stored an accessible folder in your path.

When AdwCleaner is launched it will attempt to load the required DLLs, including the malicious DLL. As AdwCleaner runs with Administrative privileges, this means that the malicious DLL will be executed with elevated privileges and can run malicious commands as an administrator.

Below you can see an example of the DLL Hijacking vulnerability being exploited using the Sentinel Vulnerability and Exploit Detector tool.

AdwCleaner DLL Hijacking
AdwCleaner DLL Hijacking
This vulnerability was discovered by Günter Born who disclosed it to Malwarebytes on December 10th, 2019.

Jérôme B, the developer of AdwCleaner, told BleepingComputer that this vulnerability was fixed by enforcing the loading paths to the DLLs.

"Yes, we didn't properly enforce the loading path for DLLs, so unprivileged users could add a specially crafted one and get privesc."

Other changes in AdwCleaner 8.0.1
While the DLL Hijacking vulnerability fix is definitely welcome, it is not the only improvement in this version.

With this release, AdwCleaner 8.0.1 once again has a Firefox cleaning module that can be used to scan for and remove malicious Firefox extensions, search engines, start pages, and preferences.

The full changelog for AdwCleaner 8.0.1 can be read below:

New Features
  • Re-Implement Firefox module. It now properly support detecting and removing extensions, startpage, sear chengines, preferences...
Changes
  • Hide debug output
  • Update telemetry internals.
  • Update definitions to 2019.12.17.1
Bugfixes
  • Fix a DLL Hijacking vulnerability in AdwCleaner 7.0+, reported by Günter Born
Click to expand...
 
  • Like
  • Thanks
  • Wow
Reactions: Viking, plat, Gandalf_The_Grey and 4 others

Similar threads

silversurfer
    • Like
    • +Reputation
Security News New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections
Replies
5
Views
1,934
Security News
NoVirusThanks
NoVirusThanks
silversurfer
    • Like
    • +Reputation
    • Thanks
QBot malware abuses Windows WordPad EXE to infect devices
Replies
2
Views
863
News Archive
Kongo
Kongo
CyberTech
    • Like
    • +Reputation
    • Wow
OneDrive DLL Sideloading vulnerability exploited in the wild
Replies
1
Views
871
News Archive
ForgottenSeer 95367
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top