A threat to common “.dll” files hits many apps

Susan bradley By Susan Bradley

Microsoft’s latest Security advisory on .dll-file vulnerabilities reveals a whole new chapter of Internet security troubles — and raises many more questions than it gives answers.

Many popular applications may be targets of this new threat, and there’s no single patch that will fix it.

The public disclosure of this new threat from DLL (dynamic link library) files started with a recent Apple iTunes patch. A security firm discovered that iTunes could load DLLs from locations its developers never intended. (DLL files are used extensively by Windows and Windows apps. For more details on what these files do, see the MS Support article, “What is a DLL?”). Tunes inadvertently loaded a DLL from a shared drive on a network — not from the app folder it was supposed to use. This little flaw prompted Apple security update HT4105.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



Researchers soon discovered that dozens of other Windows applications, such as Adobe Photoshop CS2 and MS Word 2007, had the same vulnerability. On August 23, Microsoft released Security Advisory 2269637, which gave details about the flaw. When you read the description, you’re left with the impression that it all comes down to sloppy programming.

How to measure your level of exposure

The wide-ranging nature of this threat makes evaluating your level of exposure difficult. There is a test you can run on your systems, but it’s not for the faint of heart. Here’s what to do:
  • Go to Microsoft’s Process Explorer page and download the app. Extract it in a new folder on your computer.

  • On Metasploit’s DLLHijackAuditKit page, download this tool to the same folder on your PC.

  • If you are running Vista or Windows 7, right-click on 01_StartAudit.bat and select Run as administrator. (If you’re using XP, just double-click the file to run it.) Let the auditing program walk through all the registered file types on your computer. (This might take some time.) When the script is completed, save the resulting processmonitor file as logfile.csv. in the same folder containing 01_StartAudit.bat.

  • Now launch 02_Analyze.bat and have it analyze the results.
If you would rather not go through that process, a list of vulnerable applications is being compiled on Peter Van Eeckhoutte’s blog site.

Another Website, Exploit-db.com, is currently the best source for information on what applications may be vulnerable. The Exploit-db folks are accumulating a master database of recent, known exploits — though it’s harder to interpret than Van Eeckhoutte’s site. The list of potentially vulnerable programs submitted to Exploit-db.com includes such mainstays as Windows Live Mail, Windows Movie Maker, Microsoft PowerPoint 2007 and 2010, Firefox 3.6.8, Foxit Reader, Wireshark, and uTorrent.

Tips for managing DLL vulnerabilities

What? Another round of vulnerabilities? Before you shut down your computer and dive under the covers, never to touch your machines again, take a few moments to understand what we’re facing and what our options are. As a small-business owner, I know the success of my business depends on making the right security decisions.

Based on my reading and testing, thus far, simply downloading patches to fix the problem might break some of my critical business applications. If you use the DLL patch process offered by Microsoft in MS Security Advisory 2264107 (more on that below), do so on a separate test PC first and then look for problems with your apps. If you do run into a problem, look for updates for your software and consider disabling WebClient Service, if possible (discussed below).

Security expert HD Moore has two DLL-fix recommends in his blog, but home users may find them difficult to implement.

First, check that your local firewall is preventing outbound Server Message Block (SMB) file processes. To do this, see whether the local firewall lets you block traffic through ports 135 and 445. But be careful: if you have a peer-to-peer home-network environment, you may need these ports.

Another method is to check your DSL- or cable company–supplied router’s firewall settings. See whether you can adjust it to specifically block ports 135–139 and port 445. On my Linksys router, the port-filtering section lets me control up to five different ranges of ports, as shown in Figure 1.

Linksys port-filter control
Figure 1. Linksys home-router port-filter controls (circled in yellow) let you manage traffic on as many as five port ranges.

I have far less control on an AT&T 2Wire modem I use. After I unchecked the Allow all protocols box under Inbound and Outbound Control and then selected the specific outbound connectivity I wanted (see Figure 2), I could no longer securely send my POP e-mail user name and password.

(Checking the POP3 box allowed unsecured e-mail information to pass through port 110. I prefer to use port 995 for secure e-mail transfers, but the 2Wire controls do not allow that level of control.)

I’ll keep looking for a solution for that particular modem, but I may end up buying a Linksys to put in front of it.

2Wire traffic control settings
Figure 2. AT&T’s 2Wire modem lets you control inbound and outbound traffic by specific protocols but not by port number.

Moore’s second recommendation is to disable the WebClient Service, which will then block the Webdav vulnerability. (WebClient lets Windows apps create, access, and change Web-based files.) But this, too, should be done with caution — it might disable services such as Skydrive and JungleDisk. To turn off WebClient, go into Control Panel, Administrative Tools, and then Services. Scroll toward the bottom and click WebClient. On the WebClient control windows, find Startup type and select Disabled. (See Figure 3.)

WebClient control window
Figure 3. WebClient Services can be disabled by going to the Administration Tools within Windows and selecting WebClient.

Microsoft offers Registry patch for DLL control

If you want to test Microsoft’s DLL-blocking solution, go to MS Support article 2264107 and scroll down to the Update Information subsection and find the update for your specific platform. Install it and reboot your computer.

Now you’re ready for step two: go to the Fix it for me subsection in article 2264107 and click the Fix it button. Clicking the button automatically creates a Registry entry that blocks “nonsecure DLL loads from WebDAV and SMB locations.”

Should one of your applications stop working after the fix, you can try the following tweak to the Registry:
  • Click Start and Run, then type in regedit and click OK or hit the Enter key. Scroll down the Registry list to HKEY_LOCAL_MACHINE and expand the tree below it.

  • Now, navigate down the tree through SYSTEM, CurrentControlSet, Control, and Session Manager (circled in yellow in Figure 4).

  • Click on Session Manager and look for CWDIllegalInDllSearch in the list to the right (also circled in yellow in Figure 4). Double-click it.

  • In the Edit DWORD Value window that pops up, change the Value data from 2 to 1 and try again. If you still have problems with an app, change it to 0 and push that vendor to fix their application.
Windows dll registry tweak
Figure 4. If you use Microsoft’s DLL fix and some apps stop working, you may be able to get them running again by tweaking the Registry.

So far, my tests with the Metasploit tool have yielded different results between 32-bit and 64-bit machines. I’ve also found that PowerPoint 2007 and 2010 are consistently listed as being vulnerable. Although an Aug. 31 Microsoft Security Research & Defense blog states that DLL attacks are unlikely to work on files sent by e-mail, I’m still telling my father not to open those PowerPoint files he and his friends love to e-mail around.

For now, block those outbound ports, don’t open up files unless you were expecting them, and be prepared to see your software vendors pushing out patches. And if they don’t, send them an e-mail and ask them why they aren’t updating their software for this problem.

After going through all this, I feel like paraphrasing of Franklin D. Roosevelt’s World War II words of wisdom: We only have fear right now, and not a lot of solid answers in this DLL mess.

Have more info on this subject? Post your tip in the WS Columns forum.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
= Paid content

All Windows Secrets articles posted on 2010-09-09:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.