DLL hijacking and the Opera browser
Recently, a collection of documents was released online, which was claimed to have originated with a major World power. The documents listed hacking vectors that could be used to inject code into major operating systems and numerous popular applications. Opera was no exception, with a couple of mentions on the list.
The attacks mentioned for Opera products were both “DLL hijacks”. In both cases, these are not considered to be exploitable security issues, even though in some cases, a DLL hijack might be considered exploitable. The reason for this is that the described vectors require an attacker to already have control over your computer, such that they can place executable files into protected locations on your computer. If they already have that kind of access to your computer, then they can use numerous other legitimate techniques to run code, and they don’t need to rely on an application bug to do so. As a result, like many software vendors, we do not consider the bugs mentioned in the documents to be exploitable security issues in Opera.
For the attack to take place, the attacker must place their malicious DLL into Opera’s installation folder, and Opera will accidentally load that malicious DLL instead of the correct DLL which resides in a different folder. If the attacker can place files into that folder, then they might as well just replace the real DLL in its correct folder – something the browser could not protect against. Or the attacker may as well just replace the Opera executable with a malicious one, and again, the browser cannot possibly protect against that. Or they could modify the system registry so that attempts to start the browser run a different executable instead. So loading the DLL from the wrong folder does not make the situation any worse, and the real problem is that the attacker is already running malicious code on the computer in the first place – something far more serious.
(Note that there are some cases where DLL hijacking might have security implications, where users can be tricked into running legitimate executables from an unprotected location, which in turn load an untrusted DLL by mistake. Installers are an example of applications which are usually run from unprotected locations, such as a browser’s downloads folder. A browser or user may download what they perceive to be relatively harmless DLLs into that folder without realising that an installer may then run them by accident. We have fixed such issues in the past with the Opera installer, as we do consider them to have security implications.)