In association with heise online

25 August 2010, 17:18

Scope of DLL security problem widens - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft Logo After HD Moore released details last week about the DLL problem under Windows, along with a testing tool, an increasing number of affected applications and their matching exploits have been reported. In addition to Firefox and Opera, vulnerable programs include such popular applications as PowerPoint, Photoshop, Dreamweaver, VLC, uTorrent and Wireshark – in each case, the current version is affected. They all use an insecure way of loading DLLs in which at an early stage the search order contains the current directory – a directory that could be on a network device.

The exploit DLLs are simple affairs which often only contain the payload and various empty functions. Searching the exploit database for the term DLL hijacking continually produces further new exploits which specifically target popular user software. Metasploit developer HD Moore released the DLLHijackAuditKit, a tool that allows users to search for vulnerable applications themselves.

Although Microsoft released an advisory about the problem yesterday, it's unlikely that there will be a patch, and the affected vendors will instead need to update their products. Meanwhile, a heated discussion has started in security circles over the question of whether application developers should be held responsible for this problem at all. Secunia considers it bad programming practice to supply incomplete path information which leaves it up to Windows to do the work. Funnily enough, VLC developer Geoffroy Couprie has voiced the same opinion, even though initial tests have shown that VLC is among the affected programs.

Update – The way that Windows searches is determined by the "SafeDLLSearchMode" option, which specifies the search order. If this option is enabled (set to 1), the current working directory, which could be a network share, goes to the end of the search list, making it less likely an exploit will succeed. With it disabled (set to 0) the current directory is placed second in the search, so it is more likely that a malicious dll will be loaded.

For a current list of affected applications, search the databases of Secunia or Vupen with the search terms "insecure library loading". New exploits are also being added to

Microsoft is offering an tool that allows users to change DLL loading behaviour on a per-application or system wide basis. Details of the tool are available in a Technet blog posting.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit