Microsoft Patch Bundle Fixes DLL-Load-Hijacking

Microsoft’s January patches fixed 3 vulnerabilities in Windows, including one that could be exploited by a malicious website.  The company also implemented a new defensive measure to help defend against ongoing attacks exploiting a known bug in Internet Explorer.  Microsoft took the unusual step of using the Windows Application Compatibility Toolkit to modify IE so it’s immune to attacks leveraging a bug in how the browser processes a Cascading Style Sheets (CSS) file.  This is the first time that I am aware of that they’ve used the Application Compatibility Toolkit to mitigate a zero-day vulnerability.  The toolkit has been part of Windows since XP, and was designed to allow older apps to run on newer versions of Windows.

The workaround modifies the core Dynamic-Link library, “Mshtml.dll” which contains the rendering engine, each time IE runs.  The modification prevents recursive loading of a CSS, which effectively stops the attacks in their tracks.