The Windows Club

Microsoft releases Tool to block DLL load hijacking attacks

Some time back there were reports about a security issue that affected  about 40 different Windows apps. Microsoft has quickly responded to such reports of potential zero-day attacks against such Windows programs by publishing an update or  tool to block such exploits. However Microsoft also clarified that the flaw isn’t in Windows.

Tool to block DLL load hijacking attacks

Microsoft has issued a Security Advisory (2269637) titled, Insecure Library Loading Could Allow Remote Code Execution.

“Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries. This issue is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.”

> Ad


Microsoft has also released an Update that will block the loading of DLL’s from remote directories, thereby preventing DLL Hijackings.

This update introduces a new registry key CWDIllegalInDllSearch that allows users to control the DLL search path algorithm. The DLL search path algorithm is used by the LoadLibrary API and the LoadLibraryEx API when DLLs are loaded without specifying a fully qualified path.

When an application dynamically loads a DLL without specifying a fully qualified path, Windows tries to locate this DLL by searching through a well-defined set of directories. These sets of directories are known as DLL search path. As soon as Windows locates the DLL in a directory, Windows loads that DLL. If Windows does not find the DLL in any of the directories in the DLL search order, Windows will return a failure to the DLL load operation.

More details & download links at KB2264107.