igor - Fotolia

How serious is a malicious DLL file vulnerability for enterprises?

A flaw that allows attackers to load malicious DLL files in Symantec products was labeled as severe. Expert Michael Cobb explains the vulnerability and its classification.

Symantec reported a major dynamic link library (DLL) code vulnerability that affects three of its enterprise security...

products. DLL code vulnerabilities are usually considered to be lesser threats to enterprises. What is the flaw, and why has Symantec labeled it as a severe vulnerability?

A flaw that allows attackers to load malicious DLL files was found by one of Symantec's senior threat analysis engineers in its IT Management Suite 8.0, Ghost Solution Suite 3.1 and Endpoint Virtualization 7.x products. According to Symantec, the affected products don't use an absolute path when loading DLL files during the boot process.

A DLL has code and data that can be used by multiple applications simultaneously. Just like executable files, DLL files can contain code, data and resources, such as images, but they can be used by more than one program at the same time.

There are many benefits to using shared libraries, including modularity, code reuse, reduced disk space and efficient memory usage and load times. However, if an application dynamically loads a DLL without specifying a fully qualified path to its location, it opens up the possibility of a DLL preloading attack when Windows attempts to locate the DLL file by searching a well-defined set of directories. If an attacker can copy a malicious version of the DLL file into one of these directories, the application may load and execute the malicious DLL file instead of the authorized file that it was expecting. This can enable an attacker to execute code while posing as the user who is running the application. When the application is being run as administrator, this could lead to a local elevation of privilege.

Although many experts see this type of malicious DLL vulnerability as low risk, Symantec classified the issue, listed as CVE-2016-6590, as high risk based on the new Common Vulnerability Scoring System's (CVSS) scoring methodology, which is a mathematical approximation of all possible metric combinations ranked in order of severity.

The fact that this vulnerability can lead to code execution is the main reason it scores highly, even though an attacker would first need to successfully trick an authorized user to visit a malicious website or click on a malicious email link to download the malicious DLL.

Microsoft has provided advice for securely loading DLLs for several years, so it's disappointing that Symantec didn't follow this best practice. Symantec has released updates to address the problem.

Next Steps

Learn about the flaws in the LibTIFF library that could lead to remote code execution

Find out how to spot and eradicate obfuscated macro malware

Discover what CVSS version 3.0 means for vulnerability scoring

This was last published in April 2017

Dig Deeper on Threat detection and response