Why Friends Don’t Let Friends Run Windows: Mystery Banking DLL

So I signed into the credit union’s online banking site, did the multi-factor authentication dance, and was confronted with this dialog box…

HVFCU Mystery DLL Download
HVFCU Mystery DLL Download

No, as a matter of fact, I did not choose to open ibank.dll, thank you very much for asking.

Well, what would you do?

Got this response from the credit union’s email help desk:

Upon speaking to out Information Technology department, I have been advised that this is a known problem for FireFox, Mac, and Linux users.

Hmmm, well now, Internet Explorer is conspicuous by its absence on that list, isn’t it?

A bit more prodding produced this response:

HVFCU uses a third party vendor to provide the Internet Banking software used on our servers.  On November 22 we installed the equivalent of their year end release (which is mandatory due to regulatory changes contained in the release).  Subsequent to that upgrade we discovered that errors had been introduced for Mac and/or Linux users of Safari and FireFox (and also for a small subset of Windows Internet Explorer users).  These same errors do not occur on Safari nor FireFox running on Windows.  We reported these problems to our vendor within 24 hours of the installation.

My guess is that the “small subset of Windows Internet Explorer users” corresponds to the few who actually armored-up their IE security settings enough that it doesn’t automatically download and execute anything offered to it from any website.

The rest, well, those PCs are most likely part of a zombie botnet.

He assured me:

The “ibank.dll” program cannot run on a Mac nor a PC.  It is solely a server side application which generates HTML pages.

Just guessing here, but if the “misconfiguration” had extended to actually serving the file, well, it probably would have run just fine (or, at least, attempted to run) on any Windows PC. They are, after all, using DLLs on the server, so it’s not like they’re a Unix-based shop.

And it’s pretty obvious that their vendor’s testing extended only far enough to verify that the code worked with security settings dialed to “Root me!” Maybe they didn’t actually do any testing at all; this was, after all, just an end-of-year update. What could possibly go wrong?

If you’re wondering why your Windows-based PC has been behaving oddly, maybe you’ve gotten a drive-by download from a trustworthy site with all the appropriate icons on their home page.

Makes you really trust the banking system, doesn’t it?

Or maybe it’s just another reason to stop using Windows…