But the difference is that in this case, an application is
automatically loading DLL's, simply becaise it's there.

In apps we normally write, somewhere in code, there would be a
CREATEOBJECT() to instantiate it. That means the application is
expecting the DLL. In the case of Crystal, the Crystal application
has no idea what is being loaded.

If someone wrote a malicious DLL, and put it on your PC, unless you or
someone else wrote an application that specifially calls this DLL,
it would just sit there an never be a problem.

Crystal is, by nature of this feature, providing an automatic
launcher for any DLL which is named with "CRUFL". All the DLL
has to do to be run, is be loaded and registered on the PC and
wait for a Crystal application to start.