DLL loading vulnerability


[Here's a somewhat free translation of a blog by my colleague Josep Albors on the recently announced issue with .DLL (Dynamic Link Library). You can find the original here. ]

Scarcely had we got our breath back mainly after Microsoft  addressed a serious vulnerability in handling .LNK (shortcut) files, before researcher HD Moore made public a serious security failure in the dynamic loading of libraries in Windows that came to light when he was investigating the .LNK issue.  Microsoft has already released their corresponding advisory, explaining the details of this new vulnerability.

This vulnerability is a bug in the loading loading of dynamic libraries for various applications for Windows. Initially it was thought that some forty applications were affected. More recent analysis suggests that the number of affected applications is higher, but details on which applications are affected is still scanty. Microsoft states that incorrectly coded libraries presenting with the bug "could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location."

In order to exploit this flaw security, the user has to have run a vulnerable file from a location controlled by the attacker. This location may vary and be a shared resource in the local network, WebDAV or any USB storage device. When the application associated with the management of that file opens it, a DLL is loaded that may have been changed to load and run unauthorized code. This occurs because, when trying to load the library without specifying the full path, Windows tries to find a series of predefined directories. If the original code is replaced by malicious code, execution will result in its being loaded without checking.

Microsoft has reported in detail this vulnerability and has already made available to users a solution which limits the scope of this bug. On this occasion, responsibility lies with  software developers to define clearly the location from which the libraries are loaded, in order to prevent exploitation of the vulnerability.

Until the publication of the security patch to fix this vulnerability, Microsoft has published a series of measures that can be taken to mitigate potential attacks:

  • Disable WebDAV client
  • Block ports 139 and 445 at the firewall.
  • Disable all SMB outbound traffic at the perimeter
  • Disable the "Web client" server on all the workstations by using Group Policy. 

Although these measures do not solve the problem in all scenarios, they signficantly reduce the risk.

The  ESET Ontinet.com laboratory, with still-fresh memories of the .lnk vulnerability, recommends that users stay informed about possible remediating patches so that they can be applied as soon as possible. Having an antivirus and firewall able to stop all those threats that attempt to exploit this vulnerability also is critical. Also, information that can be obtained at the Microsoft web or this blog may be helpful to forestall further problems.

 Josep Albors

ESET Sr. Research Fellow

Author David Harley, ESET

  • Juan Carlos Donoso

    Microsoft released a security update, KB 2264107, that is supposed to give additional registry entries, so the user can block / mitigate the DLL exploit. I'm not a computer expert, so It would be interesting if you could post an update including an explanation about this and the correct use for the common user.
    Thank you.

Follow us

Copyright © 2017 ESET, All Rights Reserved.