Microsoft has released a “Fix-it” to help administrators deal with dynamic-link library (DLL) loading problems believed to be causing security issues in scores of applications.
The new solution comes roughly a week after Microsoft released a security advisory on the issue. Along with the Fix-it, the company also pledged to address any DLL loading issues present in its own software.
“First, I want to be clear that Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers,” blogged Jerry Bryant, group manager of Microsoft Security Response Center (MSRC) communications. “This will primarily be in the form of security updates or defense-in-depth updates. Also, due to the fact that customers need to click through a series of warnings and dialogues to open a malicious file, we rate most of these vulnerabilities as important.”
Though Microsoft has not named any affected applications, security researchers published the names of several programs last week believed to be susceptible to the issue. Among them are Microsoft programs such as Microsoft Word 2007 and Microsoft Office PowerPoint 2010, as well as non-Microsoft programs such as Mozilla Firefox and Adobe Photoshop.
The vulnerability occurs when an application does not directly specify the fully qualified path to a library it intends to load. Depending on how the application is developed, Windows will search specific locations in the file system for the necessary library and load the file if found.
“Some Application Programming Interfaces (API), such as SearchPath, use a search order that is intended for documents and not application libraries,” Microsoft explained in its advisory. “Applications that use this API may try to load the library from the Current Working Directory (CWD), which may be controlled by an attacker.”
In a joint blog post, MSRC Group Manager Maarten Van Horenbeeck and Jonathan Ness of the MSRC Engineering team stated this class of vulnerabilities “does not enable a ‘drive-by’ or ‘browse-and-get-owned’ 0-click attack”.
Along with the advisory, Microsoft released a tool last week that provides a new registry key to allow users to control the DLL search path algorithm. The tool still needs to be configured to block malicious behaviour, however, which is where the Fix-it solution comes into play by enabling Microsoft’s recommended setting to blocks most network-based attacks. The tool must be installed prior to enabling the Fix-it.
“Many enterprise customers have asked us to make it easier for them to deploy this tool,” Bryant wrote. “As a result, we are working with the Windows Update (WU) team to add the tool to the WU catalog. This will make it easier for those running Windows Server Update Services (WSUS) to deploy. We are working to have that solution in place within the next couple of weeks. We are also considering releasing this solution more broadly via WU as a defense-in-depth update for all customers in an ‘off by default’ state.”
“Customers should note that the tool is limited to protecting against DLL preloading only and does not protect against .exe files that do not properly load files via a fully qualified path and developers will be required to update those applications accordingly,” he added.
Morrisons offers discounts after glitch causes promotions to not be applied for card holders, as…
US finalises $4.7bn award to Samsung Electronics, $1.6bn to Texas Instruments to boost domestic chip…
OpenAI begins safety testing of new model o3 that uses 'reasoning' process to ensure reliability…
US Commerce Department reportedly adding China's Sophgo to trade blacklist after TSMC-manufactured part found in…
Amazon staff in seven cities across US go on strike after company fails to negotiate,…
Two US senators ask president Joe Biden to delay TikTok ban by 90 days after…