Microsoft Releases 'Fix it' Help for DLL Security Flaw

• By Kurt Mackie
• 09/01/10

Microsoft updated its security advisory this week concerning a dynamic link library (DLL) issue and published a "Fix it" solution to help address the problem.

The issue potentially involves hundreds of applications that may fail to specify a direct path to DLL files when accessing a remote server. These poorly written applications could be subject to a hacking method called "DLL preloading attacks" or "binary planting," Microsoft explained last week. In essence, applications that reference DLL files without a specified path could pick up a planted malware files instead.

The new Fix it solution, which is buried in a Knowledge Base support article linked to the revised security advisory, is designed to simplify matters for IT pros. It's supposed to be a one-click solution to the DLL security issue. However, Microsoft added some caveats before using the Fix it solution. IT pros should first download and install update 2264107 (the workaround), which is available in a series of links below the Fix it description in the Knowledge Base article.

The next step is to configure the workaround by clicking the Fix it button. Alternatively, users can manually configure the workaround through the Windows registry. Either way, this fix will "block nonsecure DLL loads from WebDAV and SMB locations," according to the article.

The DLL problem is either associated with remote servers using WebDAV (or "Web-based Distributed Authoring and Versioning"), which is used with Internet Information Services component in Windows, or with remote servers using the Server Message Block (SMB) protocol.

Spokesperson Jerry Bryant for the Microsoft Security Response Center noted that the Fix it solution just configures the workaround tool.

"This tool provides a framework for customers to modify the behavior of the DLL search path algorithm and essentially block[s] unsafe DLL loading," Bryant explained in a blog post. "When installed, this tool [the workaround] still needs to be configured in order to block malicious behavior, and customers have asked us for our recommended setting. As a result, our Security Research & Defense team has written a detailed blog post on this topic and has worked with our Microsoft Fix-it team to develop a Fix-it to enable our recommended setting which blocks most network-based attack vectors. (Please note that the [workaround] tool needs to be installed prior to enabling the Fix-it.)"

Microsoft hasn't issued a patch yet and isn't saying that it will. The problem originates, in part, due to the poor security practices of software coders. Consequently, Microsoft's security team has not described the severity of the exploit. However, Bryant wrote that the DLL vulnerability is "important" for IT pros to address. Those users subject to this DLL security problem have to "click through a series of warnings and dialogs to open a malicious file," he explained.