You are here

HomeJohn Lister › Safari, Firefox Patch Windows DLL Security Hole

Safari, Firefox Patch Windows DLL Security Hole

Dennis Faas's picture
by John Lister on September, 9 2010 at 08:09AM EDT

Apple has joined Mozilla in releasing a browser security update for a bug affecting numerous Windows programs. It means Safari and Firefox are the only major browsers that have been issued a fix.

In both cases, the problem is the much talked-about Windows DLL bug that deals with dynamic link libraries (DLLs). It involves the way Windows works and the settings of individual applications, many of which aren't produced by Microsoft.

Windows DLL Bug Affects All Versions of Windows

In short, the problem is that when an application tries to load a DLL but doesn't say where the file is located, Windows will run through a set checklist of possible places it might be.

That opens up the possibility of a bogus DLL being placed so that it is found and opened before Windows gets to the real file. The recent flood of interest in this bug is due to the fact that it's now been proven possible for hackers to put the bogus file on a machine without having to physically access it.

Windows, Applications Can Both Be Secured

Microsoft has issued a temporary solution that changes the way Windows looks for "missing" DLLs, as well as limiting the likelihood that a machine opening a bogus DLL will wind up infected. That tool is available via Microsoft, although the fix is somewhat complex.

Because the temporary fix doesn't necessarily cover all situations, and because not every user will have installed the fix, there is still pressure on application developers to patch things at their end, which appears to mainly involve making sure applications don't trigger the search by Windows in the first place.

Mozilla First Major Browser to Issue fix to DLL Bug

Mozilla Firefox became the first major browser to issue such a fix this week. The company noted that even before the fix, the vulnerability only affected the browser in Windows XP, and that even then it could only work if Firefox wasn't open when the user clicked on a link to open a webpage.

That means an attacker would have to rely on users clicking links in; for example, a message in a standalone email program. (Source: mozilla.org)

Apple has also patched the problem in Safari, too, while also fixing a similar problem with executable files (those that end in .EXE). Although the principles of this issue are the same, not all applications affected by the DLL problems are also subject to the .EXE vulnerability. (Source: computerworld.com)

Filed under:
Security
| Tags:
dll bug
,
browser
,
applications
,
windows
,
fix
Rate this article: 
No votes yet
Need Help? Ask!



My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).

We are BBB Accredited

We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.