Categories: SecurityWorkspace

Microsoft Fixes DLL Security Bug

Microsoft has released a “Fix-it” to help administrators deal with dynamic-link library (DLL) loading problems believed to be causing security issues in scores of applications.

The new solution comes roughly a week after Microsoft released a security advisory on the issue. Along with the Fix-it, the company also pledged to address any DLL loading issues present in its own software.

“First, I want to be clear that Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers,” blogged Jerry Bryant, group manager of Microsoft Security Response Center (MSRC) communications. “This will primarily be in the form of security updates or defense-in-depth updates. Also, due to the fact that customers need to click through a series of warnings and dialogues to open a malicious file, we rate most of these vulnerabilities as important.”

Word, Powerpoint, Firefox affected

Though Microsoft has not named any affected applications, security researchers published the names of several programs last week believed to be susceptible to the issue. Among them are Microsoft programs such as Microsoft Word 2007 and Microsoft Office PowerPoint 2010, as well as non-Microsoft programs such as Mozilla Firefox and Adobe Photoshop.

The vulnerability occurs when an application does not directly specify the fully qualified path to a library it intends to load. Depending on how the application is developed, Windows will search specific locations in the file system for the necessary library and load the file if found.

“Some Application Programming Interfaces (API), such as SearchPath, use a search order that is intended for documents and not application libraries,” Microsoft explained in its advisory. “Applications that use this API may try to load the library from the Current Working Directory (CWD), which may be controlled by an attacker.”

In a joint blog post, MSRC Group Manager Maarten Van Horenbeeck and Jonathan Ness of the MSRC Engineering team stated this class of vulnerabilities “does not enable a ‘drive-by’ or ‘browse-and-get-owned’ 0-click attack”.

“To be exploited, a victim would need to browse to a malicious webDAV server or a malicious SMB server and double-click a file in the Windows Explorer window that the malicious server displays… unfortunately, based on attack patterns we have seen in recent years, we believe it is no longer safe to browse to a malicious, untrusted webDAV server in the Internet Zone and double-click on any type of files,” they wrote.

Registry tool

Along with the advisory, Microsoft released a tool last week that provides a new registry key to allow users to control the DLL search path algorithm. The tool still needs to be configured to block malicious behaviour, however, which is where the Fix-it solution comes into play by enabling Microsoft’s recommended setting to blocks most network-based attacks. The tool must be installed prior to enabling the Fix-it.

“Many enterprise customers have asked us to make it easier for them to deploy this tool,” Bryant wrote. “As a result, we are working with the Windows Update (WU) team to add the tool to the WU catalog. This will make it easier for those running Windows Server Update Services (WSUS) to deploy. We are working to have that solution in place within the next couple of weeks. We are also considering releasing this solution more broadly via WU as a defense-in-depth update for all customers in an ‘off by default’ state.”

“Customers should note that the tool is limited to protecting against DLL preloading only and does not protect against .exe files that do not properly load files via a fully qualified path and developers will be required to update those applications accordingly,” he added.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

IT Glitch Disrupts Morrisons Christmas Shopping

Morrisons offers discounts after glitch causes promotions to not be applied for card holders, as…

4 hours ago

US Finalises Billions In Awards To Samsung, Texas Instruments

US finalises $4.7bn award to Samsung Electronics, $1.6bn to Texas Instruments to boost domestic chip…

13 hours ago

OpenAI Starts Testing New ‘Reasoning’ AI Model

OpenAI begins safety testing of new model o3 that uses 'reasoning' process to ensure reliability…

13 hours ago

US ‘Adding Sophgo’ To Blacklist Over Link To Huawei AI Chip

US Commerce Department reportedly adding China's Sophgo to trade blacklist after TSMC-manufactured part found in…

13 hours ago

Amazon Workers Go On Strike Across US

Amazon staff in seven cities across US go on strike after company fails to negotiate,…

14 hours ago

Senators Ask Biden To Extend TikTok Ban Deadline

Two US senators ask president Joe Biden to delay TikTok ban by 90 days after…

14 hours ago