Security: DLL Search order Vulnerability

This vulenrability is a little old, reported about a month ago, but I’m just getting around to patching it and Microsoft isn’t. The “Insecure Library Loading Could Allow Remote Code Execution” vulnerability was announced by Microsoft back in late August in bulletin 2269637.  Unfortunately Microsoft has not rolled out a patch with their normal patch rollouts. Probably because of the potential to break apps. They did publish knowledge base article 2264107 which has a workaround to the problem.

In short, because the working directory is included in a DLL search path and could be a remote directory it was possible for an attacker to compromise a system with a remote DLL. Applications could avoid this by not relying on the default search order.

I ran through the steps and haven’t had an issue. Since I don’t expect any of my applications to run a remote DLL (WebDAV or SMB file share) I’m not expecting any problems. I’ve installed the patch and changed the settings on Windows 7 64-bit only, but the patch is available for other OS’s and the process seems the same for them.

To patch the PC:

  1. Download and install the appropriate OS patch from the KB article. I needed to reboot and I suspect the other OS’s will also need a reboot.
  2. The patch doesn’t change anything, it just enabled the use of the registry keys described in the article. You can create the registry key(s) manually or do like I did, and click the “Fix It” link in the article.
  3. The Fix It link creates the global registry key with a value of “2” which prevents searching the working directory for DLLs in the location is WebDAV or SMB (remote).

The working directory isn’t the directory the application is installed in (I suppose it can be, but that would be coincidence). This patch also affects the search order (based on the article) so if the app is installed remotely, and properly written to not rely on the remote working directory for a DLL, I would expect the app to continue to work. But, I don’t have any remotely installed apps to test this out.

This is the first time I tried one of those “Fix It” links. It’s a little scary but worked well. I’ll post an update if I have any app issues, but so far so good.

%d bloggers like this: