Microsoft addresses recent DLL order of operations flaw

Image (1) trojan250.jpg for post 3446

Trojan horse

Microsoft released an advisory this week discussing bad practices in DLL loading that could lead to remote exploitation. They have released a tool that can help mitigate the risk, but the real solution is for developers to patch their applications to follow best practices.

The issue at hand is something Unix administrators have had to deal with for more than 20 years. Including the current directory in the search path for DLLs allows trojan DLLs to be loaded in place of the intended system DLL. These search paths can even be modified to include a WebDAV path on the internet for the source of the malicious files.

There is little that can be done by those of us in the security community, or Microsoft for that matter, as many applications are designed to take advantage of this flaw and it could take many years for application developers to release better designed programs and encourage users to update to them. If Windows were patched to eliminate this behavior, it would break many programs and eliminate the backward compatibility that has catapulted Windows to its dominance.

I recommend you follow Microsoft’s guidance and work with your suppliers to ensure they are dealing with the issue. Many high-profile applications are vulnerable to this, but it is not known to be actively exploited in the wild.

Creative Commons image courtesy of Grumbler %-|’s Flickr photostream.