Microsoft addresses recent DLL order of operations flaw

Filed Under: Microsoft, Vulnerability

Trojan horse

Microsoft released an advisory this week discussing bad practices in DLL loading that could lead to remote exploitation. They have released a tool that can help mitigate the risk, but the real solution is for developers to patch their applications to follow best practices.

The issue at hand is something Unix administrators have had to deal with for more than 20 years. Including the current directory in the search path for DLLs allows trojan DLLs to be loaded in place of the intended system DLL. These search paths can even be modified to include a WebDAV path on the internet for the source of the malicious files.

There is little that can be done by those of us in the security community, or Microsoft for that matter, as many applications are designed to take advantage of this flaw and it could take many years for application developers to release better designed programs and encourage users to update to them. If Windows were patched to eliminate this behavior, it would break many programs and eliminate the backward compatibility that has catapulted Windows to its dominance.

I recommend you follow Microsoft's guidance and work with your suppliers to ensure they are dealing with the issue. Many high-profile applications are vulnerable to this, but it is not known to be actively exploited in the wild.

Creative Commons image courtesy of Grumbler %-|'s Flickr photostream.

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.