Skip Links

Microsoft won't patch critical DLL loading bugs

Third-party vendors responsible for fixes; Microsoft may address issue in future service packs

By Gregg Keizer, Computerworld
August 23, 2010 01:11 PM ET

Computerworld - MIcrosoft has told a researcher that it won't patch a problem that has left scores of Windows applications open to attack.

According to a growing number of reports, crucial Windows functionality has been misused by countless developers, including Microsoft's, leaving a large number of Windows programs vulnerable to attack because of the way they load components.

The issue first surfaced last week when HD Moore, chief security officer of Rapid7 and creator of the open-source Metasploit hacking toolkit, said he had found 40 vulnerable applications , including the Windows shell. A day later, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began in November 2008.

Over the weekend, Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis, stepped forward to cite his research, which he published in a February 2010 paper.

All these researchers have pointed out that many Windows programs can be exploited by hackers who trick users into visiting malicious Web sites because of the way the software loads code libraries -- dubbed "dynamic-link library" in Windows, which marks them with the ".dll" extension -- as well as executable ".exe" and ".com" files. If hackers can plant disguised malware in one of the directories an application searches when it looks for a .dll, .exe or .com file, they can hijack the PC.

Today, Kwon said that he reported 19 serious vulnerabilities to Microsoft in August 2009 after finding flaws in nearly 30 Windows programs, including Office 2007, Adobe Reader and all the major browsers .

During the back-and-forth between Kwon and engineers in the Microsoft Security Response Center (MSRC) about the remotely-executable bugs, the latter told Kwon that the company won't ship a security bulletin, but instead will address the problem in upcoming Windows and Office service packs.

According to Kwon, Microsoft declined to deliver a patch because "the root causes [of the vulnerabilities] are in other vendors' products." Microsoft also told Kwon it intended to work with the companies whose software contained flaws.

In an e-mail today to Computerworld, Kwon quoted a statement he said he received from Microsoft.

"For the two specific vulnerabilities that have been identified in this paper Microsoft has agreed to work with these vendors on behalf of the authors through the MSVR (Microsoft Vulnerability Research) program," Microsoft said. "As there are application compatibility concerns in changing the way 'Loadlibrary' and 'SetDllDirectory' work currently, Microsoft intends to address the underlying issue in a Service Pack or next version of Office products."

Microsoft's decision won't come as a surprise to the researchers who have publicized the problem.

Last week, for example, Moore said it was unlikely Microsoft could come up with a fix. "There may be work-arounds available, but the core issue is with the application itself, not Windows," he said at the time. "There may be fixes that can be applied at the OS level, but these are likely to break existing applications."

Originally published on www.computerworld.com. Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News