The new solution comes roughly a week after Microsoft released a security advisory on the issue. Along with the Fix-it, the company also pledged to address any DLL loading issues present in its own software.
“First, I want to be clear that Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers,” blogged Jerry Bryant, group manager of Microsoft Security Response Center (MSRC) communications. “This will primarily be in the form of security updates or defense-in-depth updates. Also, due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as important.”
Though Microsoft has not named any affected applications, security researchers published the names of several programs last week believed to be susceptible to the issue. Among them are Microsoft programs such as Microsoft Word 2007 and Microsoft Office PowerPoint 2010, as well as non-Microsoft programs such as Mozilla Firefox and Adobe Photoshop.
The vulnerability occurs when an application does not directly specify the fully qualified path to a library it intends to load. Depending on how the application is developed, Windows will search specific locations in the file system for the necessary library and load the file if found.
“Some Application Programming Interfaces (API), such as SearchPath, use a search order that is intended for documents and not application libraries,” Microsoft explained in its advisory. “Applications that use this API may try to load the library from the Current Working Directory (CWD), which may be controlled by an attacker.”
Read More Here
