Windows DLL flaw will be a big headache for end users
Summary: A year-old Windows bug affecting the way that DLL (Dynamic Link Library) files are pre-loaded is going to be a big headache for end users trying to eradicate vulnerable software from their systems.
A year-old Windows bug affecting the way that DLL (Dynamic Link Library) files are pre-loaded is going to be a big headache for end users trying to eradicate vulnerable software from their systems.
The problem is that while Microsoft can patch Windows, affected programs, which could number hundreds, will need to be patched by the developers who created them.
CNet gives us an indication of the scale of the problem:
Now, the Exploit-db.com exploit database is getting flooded with submissions of applications that people say are vulnerable, including Windows Live Mail, Windows Movie Maker, Microsoft PowerPoint 2010, Office 2007, and non-Microsoft applications like Firefox 3.6.8, Foxit Reader, Wireshark and uTorrent, said Mati Aharoni, founder of security firm Offensive Security, which runs the exploit database."Today we broke a record in the Exploit-db with the amount of exploits for various Windows applications submitted in one day...all based on the same vulnerability," Aharoni said. "Right now it's in the dozens," he said, but he expects there will be hundreds of vulnerable applications reported before too long.
There's a Microsoft security bulletin covering the issue, and a tool to help users prevent exploits, but this is aimed at security administrators.
Hundreds of applications being vulnerable and needing to be patches is going to be a major headache for end users. Not only with the patch and update load increase, but then there's the added problem of application that are no longer being supported never seeing updates.
My advice is that you should take care. Be especially wary of unsolicited links and documents sent to you by email or other communication channels. Also, keep your security software updated. Another good tool to install might be Secunia's PSI scanner that will allow worried users to run regular scans to look for vulnerable software, and also help you track down updates.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Hey Lovey!
Did you choke on your breakfast when you read this?
RE: Windows DLL flaw will be a big headache for end users
RE: Windows DLL flaw will be a big headache for end users
I'm not surprised he hasn't, since it doesn't matter what he says. Qualifications are easy to make up and post.
RE: Windows DLL flaw will be a big headache for end users
RE: Windows DLL flaw will be a big headache for end users
RE: Windows DLL flaw will be a big headache for end users
RE: Windows DLL flaw will be a big headache for end users
In Linux, dependencies are not called DLLs but they are the functional equivalent.
Actually, it is an OS bug.
<br/>No, the problem is that one of the places that Windows will look for a DLL to load is the current working directory. This is why so many applications are potentially affected, regardless of whether they actually <i>want</i> to look in the current directory.<br><br>The Debian bug you reference is a different case. Here, the application actively <i>chose</i> to load from the current working directory all by itself.
Message has been deleted.
RE: Windows DLL flaw will be a big headache for end users
Now lets examine why you are wrong:
[i]For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.[/i]
Good luck getting an end user to do that! They would have no reason to visit a remote file system.
Then there is this little gem:
[i]The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.[/i]
Firewalled! Stopped in its tracks. The basics is the home user has no reason for a remote file system, the corporate lan is firewalled.
I know you really want to believe everything is Microsoft's fault and your getting paid for Microsoft hate articles but you completely failed on this one. Sorry I had to be the one to smack you into reality.
When in a conversation about Operating Systems don't you feel like...
... don't you feel like an old man on visit to the playboy mansion whose lawful right to use a finger is systematically denied?
You do huh. I figured you would. Now enjoy the conversation much as you can, even if you can't understand the slightest of it.
RE: Windows DLL flaw will be a big headache for end users
Don't get mad because I'm right :)
RE: Windows DLL flaw will be a big headache for end users
Adrian let?s report about all the things that can go wrong if the moon and the planets are aligned. Loverock Davidson is correct and his writing was what your report should have concluded. Many of you guys at zdnet are no better that the stuff I see in the supermarkets checkout stand. If you want to write for a technical website then make it educational.
Research, describe the issue. Report what needs to be done to either avoid the issue, protect against the issue or fix the issue. The readers are intelligent human beings, except for my dog that is an intelligent dog. Treat them like that and the go write you science-fiction somewhere else.
RE: Windows DLL flaw will be a big headache for end users
Don't get your hopes up on him giving us the truth. Recently most of his articles have been filled with Microsoft hate. Worst part is he never used to be like this until a few months ago when they did the new format of the web page.
RE: Windows DLL flaw will be a big headache for end users
I agree with this wholeheartedly. ZDNet "bloggers" are not journalists. These "drive-by posts" that masquarade as journalism has to end soon. It drives hysteria and sheer ignorance and is no better- in fact, worse- than the bad ol' days of USENET know-it-alls.
Arstechnica has a good write up on this issue.
RE: Windows DLL flaw will be a big headache for end users
You can bet your hat that denying SMB at the firewall isn't going to be enough. Also, while SMB may be denied, webdav often isn't....
This may have started as a windows and/or dev issue, but it won't stay there. The end users still have to deal with the patching and cleanup. Therefore it *is* an end user problem.
/not being snarky and apologizing in advance if this sounded mean/snarky/cruel/whatever....
RE: Windows DLL flaw will be a big headache for end users
Application auto updates will take care of it. Still not a problem for the end user though, and the main problem is trying to get an end user to go to a remote file location. This is strictly a developer issue.
Hey Lovecock Davidson
This is going to become a massive black eye for MS... (Those morons should have dumped .dll files back in 1993... stupid move)
LOL, i8thecat!
Though you do make us laugh! :)