Microsoft Unveils Workaround for Remote DLL Attacks

Dennis Faas's picture

Microsoft has addressed a vulnerability affecting the way certain Windows programs load DLLs (dynamic link library files). It has done so by releasing an advisory that explains how to avoid being exploited by hackers.

Although the flaw was only recently reported, it's a variation of a decade-old issue affecting DLLs. Dynamic link library files are commonly shared amongst multiple Windows programs and are typically included inside Windows setup / install programs.

The exploit works like this: if a hacker is able to convince a user into opening a file, they can force a program to load a malicious DLL created by the attacker.

DLL Attacks Now Executed Remotely

In older instances where this kind of attack was used, the malicious file had to be located on a local system. The recent change to this model is that now attackers can exploit a network or server remotely. (Source:

As complaints surrounding this issue emerged years ago, Microsoft was able to adjust the way DLLs were loaded and limit the chance of an attack. However, Microsoft did not create a solution that completely eliminated the threat, which has allowed hackers to slowly adapt.

Microsoft's reason for not completely fixing the problem was simple: it feared such a move would cause too many incompatibility issues across too many systems.

Complex Workaround Now Available

The company has released an advisory and workaround to prevent people from getting attacked remotely.

Microsoft recommends developers follow closely follow security procedures as described on MSDN (Microsoft Developer Network), and for administrators it says a solution is to block TCP ports 139 and 445 at the firewall level while disabling the WebClient service temporarily.

Because the workaround will not solve the issue permanently, Microsoft says it is working with security experts to devise a plan that will defeat this nagging problem once and for all.

"We are currently conducting a thorough investigation into how this new vector may affect Microsoft products," said Christopher Budd, Microsoft senior security response communications manager. (Source:

| Tags:
Rate this article: 
No votes yet