{
	"id": "e389efb4-5e70-461f-94f4-a13782c1702f",
	"created_at": "2026-04-06T00:20:20.340299Z",
	"updated_at": "2026-04-10T03:24:29.162817Z",
	"deleted_at": null,
	"sha1_hash": "9917ab010a3b314cca3cc0cb40e45f46caaadffc",
	"title": "Microsoft Security Advisory 2269637",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 109075,
	"plain_text": "Microsoft Security Advisory 2269637\r\nBy BetaFred\r\nArchived: 2026-04-05 17:17:13 UTC\r\nInsecure Library Loading Could Allow Remote Code Execution\r\nPublished: August 23, 2010 | Updated: May 13, 2014\r\nVersion: 19.0\r\nGeneral Information\r\nExecutive Summary\r\nMicrosoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities\r\nthat affects how applications load external libraries.\r\nThis issue is caused by specific insecure programming practices that allow so-called \"binary planting\" or \"DLL\r\npreloading attacks\". These practices could allow an attacker to remotely execute arbitrary code in the context of\r\nthe user running the vulnerable application when the user opens a file from an untrusted location.\r\nThis issue is caused by applications passing an insufficiently qualified path when loading an external library.\r\nMicrosoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to\r\ncorrectly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is\r\nalso actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform\r\nthem of the mitigations available in the operating system. Microsoft is also actively investigating which of its own\r\napplications may be affected.\r\nIn addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of\r\nthis new attack vector by altering the library loading behavior system-wide or for specific applications. This\r\nadvisory describes the functionality of this tool and other actions that customers can take to help protect their\r\nsystems.\r\nMitigating Factors:\r\nThis issue only affects applications that do not load external libraries securely. Microsoft has previously\r\npublished guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend\r\nalternate methods to load libraries that are safe against these attacks.\r\nFor an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share\r\nand open a document from this location that is then loaded by a vulnerable application.\r\nThe file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack\r\nvectors for this vulnerability.\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 1 of 12\n\nUpdates relating to Insecure Library Loading:\r\nUpdate released on November 9, 2010\r\nMicrosoft Security Bulletin MS10-087, \"Vulnerabilities in Microsoft Office Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft Office that is affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdates released on December 14, 2010\r\nMicrosoft Security Bulletin MS10-093, \"Vulnerability in Windows Movie Maker Could Allow Remote\r\nCode Execution,\" provides support for a vulnerable component of Microsoft Windows that is affected by\r\nthe Insecure Library Loading class of vulnerabilities described in this advisory.\r\nMicrosoft Security Bulletin MS10-094, \"Vulnerability in Windows Media Encoder Could Allow Remote\r\nCode Execution,\" provides support for a vulnerable component of Microsoft Windows that is affected by\r\nthe Insecure Library Loading class of vulnerabilities described in this advisory.\r\nMicrosoft Security Bulletin MS10-095, \"Vulnerability in Microsoft Windows Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft Windows that is affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nMicrosoft Security Bulletin MS10-096, \"Vulnerability in Windows Address Book Could Allow Remote\r\nCode Execution,\" provides support for a vulnerable component of Microsoft Windows that is affected by\r\nthe Insecure Library Loading class of vulnerabilities described in this advisory.\r\nMicrosoft Security Bulletin MS10-097, \"Insecure Library Loading in Internet Connection Signup Wizard\r\nCould Allow Remote Code Execution,\" provides support for a vulnerable component of Microsoft\r\nWindows that is affected by the Insecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdate released on January 11, 2011\r\nMicrosoft Security Bulletin MS11-001, \"Vulnerability in Windows Backup Manager Could Allow Remote\r\nCode Execution,\" provides support for a vulnerable component of Microsoft Windows that is affected by\r\nthe Insecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdate released on February 8, 2011\r\nMicrosoft Security Bulletin MS11-003, \"Cumulative Security Update for Internet Explorer,\" provides\r\nsupport for a vulnerable component of Internet Explorer that is affected by the Insecure Library Loading\r\nclass of vulnerabilities described in this advisory.\r\nUpdates released on March 8, 2011\r\nMicrosoft Security Bulletin MS11-015, \"Vulnerabilities in Windows Media Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft Windows that is affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nMicrosoft Security Bulletin MS11-016, \"Vulnerability in Microsoft Groove Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft Office that is affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 2 of 12\n\nMicrosoft Security Bulletin MS11-017, \"Vulnerability in Remote Desktop Client Could Allow Remote\r\nCode Execution,\" provides support for a vulnerable component of Microsoft Windows that is affected by\r\nthe Insecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdates released on April 12, 2011\r\nMicrosoft Security Bulletin MS11-023, \"Vulnerabilities in Microsoft Office Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft Office that is affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nMicrosoft Security Bulletin MS11-025, \"Vulnerability in Microsoft Foundation Class (MFC) Library\r\nCould Allow Remote Code Execution,\" provides support for a vulnerable component in certain\r\napplications built using the Microsoft Foundation Class (MFC) Library that is affected by the Insecure\r\nLibrary Loading class of vulnerabilities described in this advisory.\r\nUpdates released on July 12, 2011\r\nThe update in Microsoft Knowledge Base Article 2533623 implements Application Programming Interface\r\n(API) enhancements in Windows to help developers correctly and securely load external libraries. This\r\nupdate for Windows is available in the \"High Priority\" Updates category for customers who have not\r\nalready received the update through automatic updating.\r\nDevelopers can help to ensure their programs load DLLs properly to avoid \"DLL preloading\" or \"binary\r\nplanting\" attacks by following the guidance provided in Microsoft Knowledge Base Article 2533623 to\r\ntake advantage of the API enhancements provided by this update.\r\nMicrosoft Security Bulletin MS11-055, \"Vulnerability in Microsoft Visio Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft Office that is affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdate released on August 9, 2011\r\nMicrosoft Security Bulletin MS11-059, \"Vulnerability in Data Access Components Could Allow Remote\r\nCode Execution,\" provides support for a vulnerable component of Microsoft Windows that is affected by\r\nthe Insecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdates released on September 13, 2011\r\nMicrosoft Security Bulletin MS11-071, \"Vulnerability in Windows Components Could Allow Remote\r\nCode Execution,\" provides support for vulnerable components of Microsoft Windows that are affected by\r\nthe Insecure Library Loading class of vulnerabilities described in this advisory.\r\nMicrosoft Security Bulletin MS11-073, \"Vulnerabilities in Microsoft Office Could Allow Remote Code\r\nExecution,\" provides support for vulnerable components of Microsoft Office that are affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdates released on October 11, 2011\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 3 of 12\n\nMicrosoft Security Bulletin MS11-075, \"Vulnerability in Microsoft Active Accessibility Could Allow\r\nRemote Code Execution,\" provides support for a vulnerable component of Microsoft Windows that is\r\naffected by the Insecure Library Loading class of vulnerabilities described in this advisory.\r\nMicrosoft Security Bulletin MS11-076, \"Vulnerability in Windows Media Center Could Allow Remote\r\nCode Execution,\" provides support for a vulnerable component of Microsoft Windows that is affected by\r\nthe Insecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdate released on November 8, 2011\r\nMicrosoft Security Bulletin MS11-085, \"Vulnerability in Windows Mail and Windows Meeting Space\r\nCould Allow Remote Code Execution,\" provides support for a vulnerable component of Microsoft\r\nWindows that is affected by the Insecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdates released on December 13, 2011\r\nMicrosoft Security Bulletin MS11-099, \"Cumulative Security Update for Internet Explorer,\" provides\r\nsupport for a vulnerable component of Microsoft Windows that is affected by the Insecure Library Loading\r\nclass of vulnerabilities described in this advisory.\r\nMicrosoft Security Bulletin MS11-094, \"Vulnerabilities in Microsoft PowerPoint Could Allow Remote\r\nCode Execution,\" provides support for a vulnerable component of Microsoft Office that is affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdates released on February 14, 2012\r\nMicrosoft Security Bulletin MS12-012, \"Vulnerability in Color Control Panel Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft Windows that is affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nMicrosoft Security Bulletin MS12-014, \"Vulnerability in Indeo Codec Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft Windows that is affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdate released on March 13, 2012\r\nMicrosoft Security Bulletin MS12-022, \"Vulnerability in Expression Design Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft Expression Design that is affected\r\nby the Insecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdate released on June 12, 2012\r\nMicrosoft Security Bulletin MS12-039, \"Vulnerabilities in Lync Could Allow Remote Code Execution,\"\r\nprovides support for a vulnerable component of Microsoft Lync that is affected by the Insecure Library\r\nLoading class of vulnerabilities described in this advisory.\r\nUpdate released on July 10, 2012\r\nMicrosoft Security Bulletin MS12-046, \"Vulnerability in Visual Basic for Applications Could Allow\r\nRemote Code Execution,\" provides support for a vulnerable component of Microsoft Visual Basic for\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 4 of 12\n\nApplications that is affected by the Insecure Library Loading class of vulnerabilities described in this\r\nadvisory.\r\nUpdate released on November 13, 2012\r\nMicrosoft Security Bulletin MS12-074, \"Vulnerabilities in .NET Framework Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft .NET Framework that is affected by\r\nthe Insecure Library Loading class of vulnerabilities described in this advisory.\r\nUpdate released on May 13, 2014\r\nMicrosoft Security Bulletin MS14-023, \"Vulnerability in Microsoft Office Could Allow Remote Code\r\nExecution,\" provides support for a vulnerable component of Microsoft Office that is affected by the\r\nInsecure Library Loading class of vulnerabilities described in this advisory.\r\nAffected Software\r\nMicrosoft is investigating whether any of its own applications are affected by insecure library loading\r\nvulnerabilities and will take appropriate action to protect its customers.\r\nAdvisory FAQ\r\nWhere can developers find guidance on how to avoid this issue?\r\nAs of June 14, 2011, the update in Microsoft Knowledge Base Article 2533623 implements Application\r\nProgramming Interface (API) enhancements in Windows to help developers correctly and securely load external\r\nlibraries. Developers should follow the guidance provided in Microsoft Knowledge Base Article 2533623 to take\r\nadvantage of the API enhancements provided by the update.\r\nMicrosoft has also published the MSDN article, Dynamic-Link Library Security, which describes the various\r\nApplication Programming Interfaces (APIs) available on Windows that allow developers to correctly and securely\r\nload external libraries.\r\nMicrosoft is working with developers through the Microsoft Vulnerability Research Program to share information\r\nwith them on how to prevent this vulnerability in their products. Software vendors and ISVs that have questions\r\non the mitigations available in Windows for this issue are invited to contact for additional mitigation information.\r\nWhat is the scope of the issue?\r\nMicrosoft is aware of research published by a number of security researchers that describes a new remote attack\r\nvector for this known class of vulnerabilities. Applications are affected when they insufficiently qualify the path of\r\nan external library.\r\nWhat causes this threat?\r\nThis exploit may occur when applications do not directly specify the fully qualified path to a library it intends to\r\nload. Depending on how the application is developed, Windows, instructed by the application, will search specific\r\nlocations in the file system for the necessary library, and will load the file if found.\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 5 of 12\n\nSome Application Programming Interfaces (API), such as SearchPath, use a search order that is intended for\r\ndocuments and not application libraries. Applications that use this API may try to load the library from the Current\r\nWorking Directory (CWD), which may be controlled by an attacker. Other APIs may also lead to similar behavior,\r\nwhen used in specific ways described in the MSDN article, Dynamic-Link Library Security.\r\nIn the case of network shares, such as WebDAV or SMB, an attacker who can write to this location could upload a\r\nspecially crafted library. In this scenario, the application attempts to load the specially crafted library, which can\r\nthen execute arbitrary code on the client system in the security context of the logged-on user.\r\nWhat might an attacker use this vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as a logged-on user. If\r\nthe user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability\r\ncould take complete control of an affected system. An attacker could then install programs; view, change, or delete\r\ndata; or create new accounts with full user rights.\r\nIn some cases, an attacker who already has access to a local folder on the system could use a DLL preloading\r\nvulnerability in a local application running with elevated privileges to elevate his access to the system.\r\nHow could an attacker exploit this vulnerability?\r\nThis vulnerability requires that the attacker convince the user to open a file using a vulnerable program, from a\r\nremote network location. When the application loads one of its required or optional libraries, the vulnerable\r\napplication may attempt to load the library from the remote network location. If the attacker provides a specially\r\ncrafted library at this location, the attacker may succeed at executing arbitrary code on the user's machine.\r\nWhat are the remote attack vectors for this vulnerability?\r\nThis vulnerability can be exploited over network file systems such as (but not limited to) WebDAV and SMB. An\r\nattacker can offer a file for download over any such protocol. If the application used to open this file does not load\r\nexternal libraries securely, the user opening that file could be exposed to this vulnerability.\r\nIs this a security vulnerability that requires Microsoft to issue a security update?\r\nThis vulnerability may require third-party vendors to issue a security update for their respective affected\r\napplications. As part of this security advisory, Microsoft is releasing an optional mitigation tool that helps\r\ncustomers address the risk of the remote attack vector through a per-application and global configuration setting.\r\nMicrosoft is also investigating whether any of its own applications are affected by DLL preloading vulnerabilities\r\nand will take appropriate action to protect its customers.\r\nWhat is a Dynamic Link Library (DLL)?\r\nA DLL is a library that contains code and data that can be used by more than one program at the same time. For\r\nexample, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions.\r\nTherefore, each program can use the functionality that is contained in this DLL to implement an Open dialog box.\r\nThis helps promote code reuse and efficient memory usage.\r\nBy using a DLL, a program can be modularized into separate components. For example, an accounting program\r\nmay be sold by module. Each module can be loaded into the main program at run time if that module is installed.\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 6 of 12\n\nBecause the modules are separate, the load time of the program is faster, and a module is only loaded when that\r\nfunctionality is requested.\r\nWhat is Web-based Distributed Authoring and Versioning (WebDAV)?\r\nWeb-based Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to\r\npublish, lock, and manage resources on the Web. Integrated into IIS, WebDAV allows clients to do the following:\r\nManipulate resources in a WebDAV publishing directory on your server. For example, users who have been\r\nassigned the correct rights can copy and move files around in a WebDAV directory.\r\nModify properties associated with certain resources. For example, a user can write to and retrieve a file's\r\nproperty information.\r\nLock and unlock resources so that multiple users can read a file concurrently.\r\nSearch the content and properties of files in a WebDAV directory.\r\nWhat is Microsoft Server Message Block (SMB) protocol?\r\nMicrosoft Server Message Block (SMB) Protocol is a Microsoft network file sharing protocol used in Microsoft\r\nWindows. For more information on SMB, see MSDN article, Microsoft SMB Protocol and CIFS Protocol\r\nOverview.\r\nSuggested Actions\r\nApply the update for affected software\r\nRefer to the section, Updates relating to Insecure Library Loading, for available updates.\r\nApply Workarounds\r\nWorkarounds refer to a setting or configuration change that does not correct the underlying issue but would\r\nhelp block known attack vectors before a security update is available. See the next section, Workarounds,\r\nfor more information.\r\nWorkarounds\r\nDisable loading of libraries from WebDAV and remote network shares\r\nNote See Microsoft Knowledge Base Article 2264107 to deploy a workaround tool that allows customers\r\nto disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to\r\ndisallow insecure loading on a per-application or a global system basis.\r\nCustomers who are informed by their vendor of an application being vulnerable can use this tool to help\r\nprotect against attempts to exploit this issue.\r\nNote See Microsoft Knowledge Base Article 2264107 to use the automated Microsoft Fix it solution to\r\ndeploy the registry key to block loading of libraries for SMB and WebDAV shares. Note that this Fix it\r\nsolution does require you to install the workaround tool also described in Microsoft Knowledge Base\r\nArticle 2264107 first. This Fix it solution only deploys the registry key and requires the workaround tool in\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 7 of 12\n\norder to be effective. We recommend that administrators review the KB article closely prior to deploying\r\nthis Fix it solution.\r\n** **\r\nDisable the WebClient service\r\nDisabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability\r\nby blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning\r\n(WebDAV) client service. After applying this workaround it is still possible for remote attackers who\r\nsuccessfully exploit this vulnerability to cause the system to run programs located on the targeted user's\r\ncomputer or the Local Area Network (LAN), but users will be prompted for confirmation before opening\r\narbitrary programs from the Internet.\r\nTo disable the WebClient Service, follow these steps:\r\n1. Click Start, click Run, type Services.msc and then click OK.\r\n2. Right-click WebClient service and select Properties.\r\n3. Change the Startup type to Disabled. If the service is running, click Stop.\r\n4. Click OK and exit the management application.\r\nImpact of workaround. When the WebClient service is disabled, Web Distributed Authoring and\r\nVersioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the\r\nWeb Client service will not start, and an error message will be logged in the System log. For example,\r\nWebDAV shares will be inaccessible from the client computer.\r\nHow to undo the workaround.\r\nTo re-enable the WebClient Service, follow these steps:\r\n1. Click Start, click Run, type Services.msc and then click OK.\r\n2. Right-click WebClient service and select Properties.\r\n3. Change the Startup type to Automatic. If the service is not running, click Start.\r\n4. Click OK and exit the management application.\r\nBlock TCP ports 139 and 445 at the firewall\r\nThese ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445\r\nat the firewall will help protect systems that are behind that firewall from attempts to exploit this\r\nvulnerability. Microsoft recommends that you block all unsolicited inbound communication from the\r\nInternet to help prevent attacks that may use other ports. For more information about ports, see the TechNet\r\narticle, TCP and UDP Port Assignments.\r\nImpact of workaround. Several Windows services use the affected ports. Blocking connectivity to the\r\nports may cause various applications or services to not function. Some of the applications or services that\r\ncould be impacted are listed below:\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 8 of 12\n\nApplications that use SMB (CIFS)\r\nApplications that use mailslots or named pipes (RPC over SMB)\r\nServer (File and Print Sharing)\r\nGroup Policy\r\nNet Logon\r\nDistributed File System (DFS)\r\nTerminal Server Licensing\r\nPrint Spooler\r\nComputer Browser\r\nRemote Procedure Call Locator\r\nFax Service\r\nIndexing Service\r\nPerformance Logs and Alerts\r\nSystems Management Server\r\nLicense Logging Service\r\nHow to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information\r\nabout ports, see TCP and UDP Port Assignments.\r\nAdditional Suggested Actions\r\nInstall updates from third-party vendors that address insecure library loading\r\nThird-party vendors may release updates that address insecure library loading in their products. Microsoft\r\nrecommends that customers contact their vendor if they have any questions whether or not a specific\r\napplication is affected by this issue, and monitor for security updates released by these vendors.\r\nProtect your PC\r\nWe continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall,\r\ngetting software updates and installing antivirus software. For more information, see Microsoft Safety \u0026\r\nSecurity Center.\r\nKeep Microsoft Software Updated\r\nUsers running Microsoft software should apply the latest Microsoft security updates to help make sure that\r\ntheir computers are as protected as possible. If you are not sure whether your software is up to date, visit\r\nMicrosoft Update, scan your computer for available updates, and install any high-priority updates that are\r\noffered to you. If you have automatic updating enabled and configured to provide updates for Microsoft\r\nproducts, the updates are delivered to you when they are released, but you should verify that they are\r\ninstalled.\r\nOther Information\r\nMicrosoft Active Protections Program (MAPP)\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 9 of 12\n\nTo improve security protections for customers, Microsoft provides vulnerability information to major security\r\nsoftware providers in advance of each monthly security update release. Security software providers can then use\r\nthis vulnerability information to provide updated protections to customers via their security software or devices,\r\nsuch as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To\r\ndetermine whether active protections are available from security software providers, please visit the active\r\nprotections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP)\r\nPartners.\r\nFeedback\r\nYou can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact\r\nUs.\r\nSupport\r\nCustomers in the United States and Canada can receive technical support from Security Support. For more\r\ninformation, see Microsoft Help and Support.\r\nInternational customers can receive support from their local Microsoft subsidiaries. For more information,\r\nsee International Support.\r\nMicrosoft TechNet Security provides additional information about security in Microsoft products.\r\nDisclaimer\r\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all\r\nwarranties, either express or implied, including the warranties of merchantability and fitness for a particular\r\npurpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including\r\ndirect, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft\r\nCorporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the\r\nexclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not\r\napply.\r\nRevisions\r\nV1.0 (August 23, 2010): Advisory published.\r\nV1.1 (August 31, 2010): Added a link to Microsoft Knowledge Base Article 2264107 to provide an\r\nautomated Microsoft Fix it solution for the workaround, Disable loading of libraries from WebDAV and\r\nremote network shares.\r\nV2.0 (November 9, 2010): Added Microsoft Security Bulletin MS10-087, \"Vulnerabilities in Microsoft\r\nOffice Could Allow Remote Code Execution,\" to the Updates relating to Insecure Library Loading\r\nsection.\r\nV3.0 (December 14, 2010): Added the following Microsoft Security Bulletins to the Updates relating to\r\nInsecure Library Loading section: MS10-093, \"Vulnerability in Windows Movie Maker Could Allow\r\nRemote Code Execution;\" MS10-094, \"Vulnerability in Windows Media Encoder Could Allow Remote\r\nCode Execution;\" MS10-095, \"Vulnerability in Microsoft Windows Could Allow Remote Code\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 10 of 12\n\nExecution;\" MS10-096, \"Vulnerability in Windows Address Book Could Allow Remote Code Execution;\"\r\nand MS10-097, \"Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote\r\nCode Execution.\"\r\nV4.0 (January 11, 2011): Added Microsoft Security Bulletin MS11-001, \"Vulnerability in Windows\r\nBackup Manager Could Allow Remote Code Execution,\" to the Updates relating to Insecure Library\r\nLoading section.\r\nV5.0 (February 8, 2011): Added Microsoft Security Bulletin MS11-003, \"Cumulative Security Update for\r\nInternet Explorer,\" to the Updates relating to Insecure Library Loading section.\r\nV6.0 (March 8, 2011): Added the following Microsoft Security Bulletins to the Updates relating to\r\nInsecure Library Loading section: MS11-015, \"Vulnerabilities in Windows Media Could Allow Remote\r\nCode Execution;\" MS11-016, \"Vulnerability in Microsoft Groove Could Allow Remote Code Execution;\"\r\nand MS11-017, \"Vulnerability in Remote Desktop Client Could Allow Remote Code Execution.\"\r\nV7.0 (April 12, 2011): Added the following Microsoft Security Bulletins to the Updates relating to\r\nInsecure Library Loading section: MS11-023, \"Vulnerabilities in Microsoft Office Could Allow Remote\r\nCode Execution;\" and MS11-025, \"Vulnerability in Microsoft Foundation Class (MFC) Library Could\r\nAllow Remote Code Execution.\"\r\nV8.0 (July 12, 2011): Added the update in Microsoft Knowledge Base Article 2533623 and the update in\r\nMicrosoft Security Bulletin MS11-055, \"Vulnerability in Microsoft Visio Could Allow Remote Code\r\nExecution,\" to the Updates relating to Insecure Library Loading section. The update in Microsoft\r\nKnowledge Base Article 2533623 implements Application Programming Interface (API) enhancements in\r\nWindows to help developers correctly and securely load external libraries.\r\nV9.0 (August 9, 2011): Added Microsoft Security Bulletin MS11-059, \"Vulnerability in Data Access\r\nComponents Could Allow Remote Code Execution,\" to the Updates relating to Insecure Library\r\nLoading section.\r\nV10.0 (September 13, 2011): Added the following Microsoft Security Bulletins to the Updates relating to\r\nInsecure Library Loading section: MS11-071, \"Vulnerability in Windows Components Could Allow\r\nRemote Code Execution;\" and MS11-073, \"Vulnerabilities in Microsoft Office Could Allow Remote Code\r\nExecution.\"\r\nV11.0 (October 11, 2011): Added the following Microsoft Security Bulletins to the Updates relating to\r\nInsecure Library Loading section: MS11-075, \"Vulnerability in Microsoft Active Accessibility Could\r\nAllow Remote Code Execution;\" and MS11-076, \"Vulnerability in Windows Media Center Could Allow\r\nRemote Code Execution.\"\r\nV12.0 (November 8, 2011): Added the following Microsoft Security Bulletin to the Updates relating to\r\nInsecure Library Loading section: MS11-085, \"Vulnerability in Windows Mail and Windows Meeting\r\nSpace Could Allow Remote Code Execution.\"\r\nV13.0 (December 13, 2011): Added the following Microsoft Security Bulletins to the Updates relating to\r\nInsecure Library Loading section: MS11-099, \"Cumulative Security Update for Internet Explorer;\" and\r\nMS11-094, \"Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution.\"\r\nV14.0 (February 14, 2012): Added the following Microsoft Security Bulletins to the Updates relating to\r\nInsecure Library Loading section: MS12-012, \"Vulnerability in Color Control Panel Could Allow\r\nRemote Code Execution;\" and MS12-014, \"Vulnerability in Indeo Codec Could Allow Remote Code\r\nExecution.\"\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 11 of 12\n\nV15.0 (March 13, 2012): Added the following Microsoft Security Bulletin to the Updates relating to\r\nInsecure Library Loading section: MS12-022, \"Vulnerability in Expression Design Could Allow Remote\r\nCode Execution.\"\r\nV16.0 (June 12, 2012): Added the following Microsoft Security Bulletin to the Updates relating to\r\nInsecure Library Loading section: MS12-039, \"Vulnerabilities in Lync Could Allow Remote Code\r\nExecution.\"\r\nV17.0 (July 10, 2012): Added the following Microsoft Security Bulletin to the Updates relating to\r\nInsecure Library Loading section: MS12-046, \"Vulnerability in Visual Basic for Applications Could\r\nAllow Remote Code Execution.\"\r\nV18.0 (November 13, 2012): Added the following Microsoft Security Bulletin to the Updates relating to\r\nInsecure Library Loading section: MS12-074, \"Vulnerabilities in .NET Framework Could Allow Remote\r\nCode Execution.\"\r\nV19.0 (May 13, 2014): Added the following Microsoft Security Bulletin to the Updates relating to\r\nInsecure Library Loading section: MS14-023, \"Vulnerabilities in Microsoft Office Could Allow Remote\r\nCode Execution.\"\r\nPage generated 2014-05-12 18:40Z-07:00.\r\nSource: https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nhttps://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637"
	],
	"report_names": [
		"2269637"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434820,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9917ab010a3b314cca3cc0cb40e45f46caaadffc.pdf",
		"text": "https://archive.orkl.eu/9917ab010a3b314cca3cc0cb40e45f46caaadffc.txt",
		"img": "https://archive.orkl.eu/9917ab010a3b314cca3cc0cb40e45f46caaadffc.jpg"
	}
}