Microsoft releases tool to block DLL load hijacking attacks

But stays mum on whether any of its own apps are vulnerable

1 2 Page 2
Page 2 of 2

Microsoft's tool targets enterprises, not consumers, said Budd, and won't be pushed to customers automatically through the company's Automatic Updates service.

In the advisory, Microsoft listed other workarounds customers could take, including blocking outbound SMB (Server Message Block) traffic at the firewall and disabling Windows' built-in Web client. Last week, Moore had recommended users do both, based on his preliminary work.

Budd also argued that the possible exploits spelled out by Moore and others represent a new attack vector, a claim that some researchers rejected.

"This [has been] known since 2000, and I also reported it in 2006," said Israeli researcher Aviv Raff on Twitter Monday. Aviv had revealed a DLL load hijacking bug in Internet Explorer 7 (IE7) in December 2006. Microsoft waited until April 2009 to patch Raff's IE vulnerability.

Microsoft today refused to say whether any of its applications include the programming flaw that would make them vulnerable. "We're going through [our products] and researching," said Budd. "If there are vulnerabilities, we'll address them."

Earlier today, several outside security researchers said they would be interested to know whether any Microsoft software is at risk, which would mean that Microsoft's developers had not followed the company's advice to third-party programmers.

Budd said he couldn't immediately confirm that Microsoft has known of the DLL load hijacking vulnerabilities since at least August 2009, when University of California Davis researcher Taeho Kwon said he contacted the company. Today, Budd said that he understood that Microsoft had been working the problem only for the "past couple of weeks."

If Kwon's timeline is accurate, Microsoft's inability to name which of its products, if any, are vulnerable will likely seem especially odd to researchers.

The MSRC engineering team also published some technical information about the attack vector and the blocking tool on Microsoft's "Security Research & Defense" blog Monday.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon