Safari, Firefox Patch Windows DLL Security Hole

Apple has joined Mozilla in releasing a browser security update for a bug affecting numerous Windows programs. It means Safari and Firefox are the only major browsers that have been issued a fix.

In both cases, the problem is the much talked-about Windows DLL bug that deals with dynamic link libraries (DLLs). It involves the way Windows works and the settings of individual applications, many of which aren't produced by Microsoft.

Windows DLL Bug Affects All Versions of Windows

In short, the problem is that when an application tries to load a DLL but doesn't say where the file is located, Windows will run through a set checklist of possible places it might be.

That opens up the possibility of a bogus DLL being placed so that it is found and opened before Windows gets to the real file. The recent flood of interest in this bug is due to the fact that it's now been proven possible for hackers to put the bogus file on a machine without having to physically access it.

Windows, Applications Can Both Be Secured

Microsoft has issued a temporary solution that changes the way Windows looks for "missing" DLLs, as well as limiting the likelihood that a machine opening a bogus DLL will wind up infected. That tool is available via Microsoft, although the fix is somewhat complex.

Because the temporary fix doesn't necessarily cover all situations, and because not every user will have installed the fix, there is still pressure on application developers to patch things at their end, which appears to mainly involve making sure applications don't trigger the search by Windows in the first place.

Mozilla First Major Browser to Issue fix to DLL Bug

Mozilla Firefox became the first major browser to issue such a fix this week. The company noted that even before the fix, the vulnerability only affected the browser in Windows XP, and that even then it could only work if Firefox wasn't open when the user clicked on a link to open a webpage.

That means an attacker would have to rely on users clicking links in; for example, a message in a standalone email program. (Source: mozilla.org)

Apple has also patched the problem in Safari, too, while also fixing a similar problem with executable files (those that end in .EXE). Although the principles of this issue are the same, not all applications affected by the DLL problems are also subject to the .EXE vulnerability. (Source: computerworld.com)