* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Threat Advisory/Analysis](https://www2.paloaltonetworks.com/blog/category/threat-advisory-analysis/)
* Protecting Against the Ne...

# Protecting Against the New DLL Attack

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2010%2F08%2Fprotecting-against-the-new-dll-attack%2F)  
[](https://twitter.com/share?text=Protecting+Against+the+New+DLL+Attack&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2010%2F08%2Fprotecting-against-the-new-dll-attack%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2010%2F08%2Fprotecting-against-the-new-dll-attack%2F&title=Protecting+Against+the+New+DLL+Attack&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2010/08/protecting-against-the-new-dll-attack/&ts=markdown)  
\[\](mailto:?subject=Protecting Against the New DLL Attack)  
Link copied  
By [Anna Lough](https://www.paloaltonetworks.com/blog/author/anna-lough/?ts=markdown "Posts by Anna Lough")  
Aug 26, 2010  
4 minutes  
[Threat Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/threat-advisory-analysis/?ts=markdown)  
[Threat Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/threat-advisoryanalysis/?ts=markdown)  
[DLL threat prevention Microsoft](https://www.paloaltonetworks.com/blog/tag/dll-threat-prevention-microsoft/?ts=markdown)

**Summary**

Microsoft released a [security advisory](http://www.microsoft.com/technet/security/advisory/2269637.mspx) on Aug 23 that discusses a remote attack vector that allows an attacker to remotely take control of user's machine. The security advisory was in response to a [report](http://www.computerworld.com/s/article/9180901/Update_40_Windows_apps_contain_critical_bug_says_researcher?) released by a security researcher the previous week that described how more than 40 Windows applications could be compromised due to the way Windows applications load DLLs. Palo Alto Network's Next-Generation Firewalls can help thwart/mitigate such attacks by using App-ID and Content-ID technology (details below).

**What customers should do**

The attack is best controlled by introducing firewall security policies that block [SMB](http://en.wikipedia.org/wiki/Server_Message_Block) (Server Message Block) or [WebDAV](http://en.wikipedia.org/wiki/WebDAV) (Web-based Distributed Authoring and Versioning) traffic from traversing the trust to untrust zones (see scenarios below). A recent [US CERT advisory](http://www.us-cert.gov/current/#insecure_loading_of_dynamic_link) advised similarly. Security best practices indicate that most enterprises should have such policies in place on the perimeter firewall unless there is a need to allow Internet-based SMB or WebDAV traffic.

Scenario 1: *Internet-based SMB and WebDAV is not allowed/needed*

Fix: Introduce a firewall rule to block traffic for following applications (webdav, msrpc, ms-ds-smb, netbios-ss) from trust to untrust zone.

Scenario 2: *Internet-based SMB is not allowed/not-needed but WebDAV is allowed/needed*

Fix: Introduce a firewall rule to block SMB traffic (applications: msrpc, ms-ds-smb, netbios-ss) from trust to untrust. Introduce another firewall rule to allow WebDAV traffic (application: webdav) from trust to untrust and add a file blocking profile that blocks DLL file-type.

An additional layer of protection can be implemented by implementing a threat prevention (Antivirus) policy to detect and block any known malicious DLL files. Customers can choose to apply an antivirus profile on firewall rules (default action for any virus detected over HTTP or SMB is block so the default antivirus settings would work).

Customers are also recommended to check Mitigating Factors and Workarounds posted in Microsoft's Security Advisory.

**Attack Details**

The DLL attack is in fact a classic attack and is OS-agnostic -- if an application needs to find any library (DLL in case of Windows), it looks in the each of the directory (in order) mentioned in the PATH shell variable. If an attacker places the malicious library in a directory that appears in the PATH variable "before" the directory containing the genuine library, then the attacker can have his/her malicious code executed by the application. For such an attack to happen, two things are required:

1. Application loading the library uses relative library name instead of full path (this will cause the library to be searched in directories mentioned in PATH variable)

2. The malicious library that needs to be installed is present on the local machine.

**The new research finding relaxed the second requirement**. This causes the threat surface to increase dramatically in the sense that the attacker can now create a data file that the vulnerable application can open, create a malicious library that the vulnerable application would invoke and host both files on an Internet-based network share that the user can access. If somehow the user can be lured into accessing the specially crafted data file then the vulnerable application would execute the malicious library that will cause the attacker's code to run the local machine.

It is to be noted that the threat applies to only those windows applications that load DLLs by using the DLL name only and not using the absolute path name of the DLL. If IT personnel are interested in finding what vulnerable applications exist on a given machine, they can use a public program available from metasploit (For obvious reasons, Palo Alto Networks does not guarantee the correctness of this program).

[http://blog.metasploit.com/2010/08/better-faster-stronger.html](http://blog.metasploit.com/2010/08/better-faster-stronger.html)

This attack is also described in a [Microsoft blog](http://blogs.technet.com/b/msrc/archive/2010/08/21/microsoft-security-advisory-2269637-released.aspx) and [US CERT Technical Alert TA10-238A.](http://www.us-cert.gov/cas/techalerts/TA10-238A.html)

*** ** * ** ***

## Related Blogs

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Threat Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/threat-advisoryanalysis/?ts=markdown)

[#### CircleCI Incident Highlights Cloud Platform Querying Struggles for Compromised Credentials](https://www2.paloaltonetworks.com/blog/cloud-security/circleci-platform-query-credentials/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Threat Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/threat-advisory-analysis/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Inside TDrop2: Technical Analysis of new Dark Seoul Malware](https://www2.paloaltonetworks.com/blog/2015/11/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language