This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 2%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHW%3C/text%3E%3C/svg%3E)
According to this help page, any application or DLL created with MFC will attempt to load localized resources from satellite DLLs such as exampleENU.dll or exampleLOC.dll.
We have built a legacy application using MFC, but we do not use this particular mechanism to provide localization. However, we want to preempt any potential security risks that stem from our application trying to load DLLs that we do not actually use or provide.
Is there any way to disable this behavior of an MFC application? We do not want our application to attempt to load any of these DLLs, as we see a potential vulnerability to arbitrary code execution should an attacker deposit a malicious DLL under such a name within the DLL search path.
It should perhaps be noted that most of our application's functionality is spread across multiple C++ DLLs, each of which links against MFC, whereas the main application .exe does not link against MFC itself. The observed behavior is that each of our module DLLs attempts to load its own set of localized satellite DLLs, which is what we want to avoid.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 86%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
The underlying MFC source code function appears to be AfxLoadLangResourceDLL as far as I can see. If you link to MFC statically, maybe you could provide your own version of that function to circumvent the normal one?
As far as I can tell the MFC localized satellite DLLs are resource-only and are loaded using LoadLibraryEx with flags that are only suitable for use with resource-only Dlls. For example, calling GetModuleHandle on one of the satellite DLLs will fail. Perhaps the DLL hijack risk is mitigated by the way that MFC loads the satellite DLLs. Also, assuming your application is installed to a protected file system location the standard DLL safe search order will find MFC DLLs in System32 before a current directory or a path is searched.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 57.00000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMY%3C/text%3E%3C/svg%3E)
Is there any update? Does the answer solve your problem?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Been a long time since I've done anything with MFC but I don't know how much of a security risk it actually is. It is a resource DLL so the only thing that is used out of it is the resources that are embedded. By default they wouldn't be a security risk. I suppose if the DLL has malicious code in the startup block when the DLL is loaded then it could do something but that is about it.
However from a security point of view, if a malicious user can drop a binary into your application's directory then your system is already compromised. It is too late at that point anyway so protecting for this one class of risk doesn't really protect the rest of your system. For example suppose you don't allow loading of resource DLLs, fine. As a malicious user I simply drop a DLL with the same name as: a system DLL (which Windows will load first by default), one of your own DLLs, or even your EXE. In all cases I have just injected myself into your process and there is nothing you can do to stop it short of ensuring all your binaries are cryptographically signed and your app enforces it.
But if you really want a "feel good" option then MFC loads DLLs by following a well defined search order for the resource DLL to use. Since that is based upon the locale of the machine you would either need to provide a resource DLL for all languages you need to support or at least English. This would prevent a malicious user from dropping their own (further down the chain). But, again, if they can drop binaries into your app directory your system is already compromised.
Thank you for the in-depth answer. My own experimentation shows that even if you do drop a DLL with code and an entry point in place of such a satellite DLL, that entry point is never actually called.
I'm not happy that there doesn't appear to be any kind of way to disable this behavior of MFC, but I can at least see that there is no major security risk emanating from it.