Tuesday, August 24, 2010

Critical New (yet old) DLL Loading Vulnerability likely won't be fixed via Microsoft Update

Short summary: To continue to provide backward compatibility for older (poorly written) applications, Microsoft will likely not patch what may become one of the most dangerous vulnerabilities in Windows. It effects all versions, even the newest Windows 7 and Windows Server 2008 R2 operating systems. System administrators must manually test and patch each system according to what critical applications are used - to prevent business critical systems from breaking completely - or risk infection.

For a decent analysis on what the problem is, and why Microsoft likely won’t be releasing a hot fix via Windows Update see this article:
ars technica : Windows DLL-loading security flaw puts Microsoft in a bind


A Microsoft KB article was released last night announcing a mitigation fix available to system admins. The process includes adding a new REG key and installing a hotfix that enables that key on the OS.
Restrict the DLL search path algorithm (Machine Global, Application Specific, WebDAV or Remote Folders) KB2264107

Please note that if you intend to deploy this fix you will need to manually apply the patch to each system and import a reg key.

Test all business critical apps on this patch before you deploy widely!

In my opinion Microsoft should bite the bullet on this in favor of security – this is potentially one of the most dangerous exploits we shall see this decade. Expect rampant virus infections very soon on un-patched systems. The catch-22 is that deploying this fix will likely break older 3rd party software that used dangerous DLL calling methods. (No names, but there were some big companies that did this right up until last year - “financial software” cough cough.)