Recently, information security experts identified 151 high risk vulnerabilities associated with Microsoft DLL hijacking vulnerabilities. However, only 23 of those vulnerabilities are reported to be addressed. The remaining vulnerabilities, which are in the public domain, still remain unpatched. The vulnerabilities identified include those associated with Dynamic-Link Library (DLL) preloading, insecure library loading and EXE loading. The vulnerabilities, which result in insecure file location searches, provide opportunity for attackers to execute arbitrary code. Information security experts at Microsoft warn that applications, which do not load external libraries securely, are more susceptible to DLL preloading attacks.
Arbitrary code will be executed when a user unintentionally opens a file from a suspicious or untrusted location. However, the default setting for file sharing protocol is usually disabled, thereby offering protection from exploitation of DLL preloading vulnerability.
Timely issuance of security patches is crucial to avoid compromise of system and information security of large number of users. Delay in issuing security advisories may not only compromise security but also alter the user experience. On the other hand, vendors are faced with enormous challenge of keeping up to the numerous vulnerabilities discovered regularly. One of the reasons for slow response from vendors is the elaborate testing requirements for analyzing vulnerabilities. Usually, ethical hacking is used to discover and mitigate vulnerabilities.
Ironically, the security releases are a boon for the hackers as they have instant access to vulnerabilities. Until the time, vendors release relevant updates and patches, attackers may continue to exploit the vulnerabilities. Internet users must keep track of the security updates by vendors and security firms to limit the threat from vulnerabilities.
The vulnerabilities are also known as binary planting vulnerabilities. While users are still waiting for the security updates for known vulnerabilities, new vulnerabilities continue to be discovered making IT security that much complicated.