Microsoft released some additional help today to plug security holes opened by the DLL loading vulnerabilities in many applications.
Microsoft released a "Fix-it" to help administrators deal with DLL
loading problems believed to be affecting scores of applications.
The new solution comes roughly a week after Microsoft released a security
advisory on the issue. Along with the Fix-it, the company also pledged to
address any DLL loading issues in its own software.
"First, I want to be clear that Microsoft plans to address those of our
products affected by this issue in the most appropriate way for
, group manager of MSRC (Microsoft Security Response Center) communications.
"This will primarily be in the form of security updates or defense-in-depth
updates. Also, due to the fact that customers need to click through a series of
warnings and dialogs to open a malicious file, we rate most of these
vulnerabilities as important."
Though Microsoft has not named any affected applications, security
researchers published the names of several
programs last week
that were believed to be susceptible to the issue. Among
them are Microsoft programs such as Microsoft Word 2007 and Microsoft Office
PowerPoint 2010, as well as non-Microsoft programs such as Mozilla Firefox and
The vulnerability occurs when an application does not directly specify the
fully qualified path to a library it intends to load. Depending on how the
application is developed, Windows will search specific locations in the file
system for the necessary library and load the file if found.
"Some APIs such as SearchPath use a search order that is intended for
documents and not application libraries," Microsoft
explained in its advisory
. "Applications that use this API
may try to load the library from the Current Working Directory, which may be
controlled by an attacker."
In a joint blog post, MSRC Group Manager Maarten Van Horenbeeck and Jonathan
Ness of the MSRC Engineering team stated this class of vulnerabilities
"does not enable a "drive-by" or
"browse-and-get-owned" zero-click attack."
"To be exploited, a victim would need to browse to a malicious WebDAV
server or a malicious SMB server and double-click a file in the Windows
Explorer window that the malicious server displays...Unfortunately, based on
attack patterns we have seen in recent years, we believe it is no longer safe
to browse to a malicious, untrusted WebDAV server in the Internet Zone and
double-click on any type of files," they
Along with the advisory, Microsoft released a tool last week that provides a
new registry key to allow users to control the DLL search path algorithm. The
tool still needs to be configured to block malicious behavior, however, which
is where the Fix-it solution comes into play by enabling Microsoft's
recommended setting to block most network-based attacks. The tool must be
installed prior to enabling the Fix-it.
"Many enterprise customers have asked us to make it easier for them to
deploy this tool," Bryant wrote. "As a result, we are working with
the Windows Update [WU] team to add the tool to the WU catalog. This will make
it easier for those running Windows Server Update Services [WSUS] to deploy. We
are working to have that solution in place within the next couple of weeks. We
are also considering releasing this solution more broadly via WU as a
defense-in-depth update for all customers in an 'off by default' state."
"Customers should note that the tool is limited to protecting against
DLL preloading only and does not protect against .exe files that do not
properly load files via a fully qualified path, and developers will be required
to update those applications accordingly," he added.