Apple and Mozilla have patched their browser products against the dynamic-library link file loading issue affecting many applications running on Windows.
For Apple Safari users, the fix was mixed in with a relatively small update that also plugged two security holes in the Webkit engine. Users of Mozilla Firefox will find the fix tucked into a much larger update that swats a total of 15 bugs. Almost all of the Firefox bugs are rated critical.
The DLL issue was highlighted last month after Rapid7 Chief Security Officer HD Moore and researchers at Acros Security revealed that numerous applications were vulnerable to attack. In the ensuing weeks, the names of some of the applications believed to be vulnerable – such as Firefox, Adobe Photoshop and Microsoft Word 2007 – were made public.
According to Microsoft, the issue is caused by applications passing an insufficiently qualified path when loading an external library, a practice that can leave them susceptible to binary planting attacks.
In its advisory, Mozilla reported that an attacker targeting Windows XP users could “use this vulnerability to trick a user into downloading a HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed.”
“If the attacker was on the same network as the victim, the malicious DLL could also be loaded via a UNC path,” Mozilla continued. “The attack also requires that Firefox not currently be running when it is asked to open the HTML file and accompanying DLL.”
For Safari users, the issue has been addressed by using an explicit search path when launching Windows Explorer, Apple reported.
Microsoft issued a “Fix-it” Sept. 1 to help organizations block most network-based attacks leveraging the vulnerability.