DLL bug: more details plus autofix emerge
Microsoft has gone into more detail about how exploits of a flaw in the dynamic link libraries system work. The firm has also released instructions for altering registry settings and an automated fix.
The problems are known to affect dozens of applications, with some predictions the final total could be in the hundreds. Microsoft has now confirmed that the specific problem occurs when an application attempts to automatically open a DLL but doesn’t give its location on the computer in full (that is, specifying the drive/directories/subdirectories and so on).
When this happens, Windows searches through a set list of locations until it finds a DLL. The exploits involve getting a bogus DLL onto this machine in such a location that Windows finds and opens it before coming across the legitimate DLL.
The bogus DLL then routes the user to a malicious web server that brings up a Windows Explorer window and presents a malware file, usually mislabeled intentionally in an attempt to trick the user into double-clicking it. This is why, even though the bogus DLLs can be put on a machine remotely, it takes further user action before the actual damage can be done: that’s why Microsoft has labeled the issue important rather than critical.
With this information, Microsoft has come up with two solutions for customers that will, at the least, reduce the likelihood of exploits being possible. Both options are detailed at http://support.microsoft.com/kb/2264107.
The first option is a series of registry edits. The upside is that this gives the user a high level of control over the specific order in which Windows searches for DLL locations, as well as blocking the opening of file windows from the malicious server. The downside, of course, is that registry edits aren’t for the fainthearted.
The second option is a combination of a downloadable and installable update that makes it possible to block the attacks (but has this function switched off by default), followed by a “Fix it” tool (which is activated simply by clicking on Microsoft’s site) that switches on the blocking function.
Related Posts:
