Microsoft Fixes DLL Security Bug

Microsoft has released a “Fix-it” to help administrators deal with dynamic-link library (DLL) loading problems believed to be causing security issues in scores of applications.

The new solution comes roughly a week after Microsoft released a security advisory on the issue. Along with the Fix-it, the company also pledged to address any DLL loading issues present in its own software.

“First, I want to be clear that Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers,” blogged Jerry Bryant, group manager of Microsoft Security Response Center (MSRC) communications. “This will primarily be in the form of security updates or defense-in-depth updates. Also, due to the fact that customers need to click through a series of warnings and dialogues to open a malicious file, we rate most of these vulnerabilities as important.”

Word, Powerpoint, Firefox affected

Though Microsoft has not named any affected applications, security researchers published the names of several programs last week believed to be susceptible to the issue. Among them are Microsoft programs such as Microsoft Word 2007 and Microsoft Office PowerPoint 2010, as well as non-Microsoft programs such as Mozilla Firefox and Adobe Photoshop.

The vulnerability occurs when an application does not directly specify the fully qualified path to a library it intends to load. Depending on how the application is developed, Windows will search specific locations in the file system for the necessary library and load the file if found.

“Some Application Programming Interfaces (API), such as SearchPath, use a search order that is intended for documents and not application libraries,” Microsoft explained in its advisory. “Applications that use this API may try to load the library from the Current Working Directory (CWD), which may be controlled by an attacker.”

In a joint blog post, MSRC Group Manager Maarten Van Horenbeeck and Jonathan Ness of the MSRC Engineering team stated this class of vulnerabilities “does not enable a ‘drive-by’ or ‘browse-and-get-owned’ 0-click attack”.

“To be exploited, a victim would need to browse to a malicious webDAV server or a malicious SMB server and double-click a file in the Windows Explorer window that the malicious server displays… unfortunately, based on attack patterns we have seen in recent years, we believe it is no longer safe to browse to a malicious, untrusted webDAV server in the Internet Zone and double-click on any type of files,” they wrote.

Registry tool

Along with the advisory, Microsoft released a tool last week that provides a new registry key to allow users to control the DLL search path algorithm. The tool still needs to be configured to block malicious behaviour, however, which is where the Fix-it solution comes into play by enabling Microsoft’s recommended setting to blocks most network-based attacks. The tool must be installed prior to enabling the Fix-it.

“Many enterprise customers have asked us to make it easier for them to deploy this tool,” Bryant wrote. “As a result, we are working with the Windows Update (WU) team to add the tool to the WU catalog. This will make it easier for those running Windows Server Update Services (WSUS) to deploy. We are working to have that solution in place within the next couple of weeks. We are also considering releasing this solution more broadly via WU as a defense-in-depth update for all customers in an ‘off by default’ state.”

“Customers should note that the tool is limited to protecting against DLL preloading only and does not protect against .exe files that do not properly load files via a fully qualified path and developers will be required to update those applications accordingly,” he added.