Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How to thwart the new DLL hijacks

29 Aug 2010   #1
JMH

Win 7 Ultimate 64-bit. SP1.
 
 
How to thwart the new DLL hijacks

Quote:

Earlier this week I wrote in Tech Watch about a whole new class of Windows zero-day vulnerabilities, warning that a wave of attacks would arrive soon.

Like night after day, the exploits have appeared, as Gregg Keizer explains in his Computerworld article "Windows DLL exploits boom." Two separate websites -- the Exploit Database's DLL Hijacking Vulnerable Applications list and Peter Van Eeckhoutte's DLL Hijacking Unofficial list -- currently have details on more than 80 Windows applications that are susceptible to this kind of security breach.

With so many application heavyweights in the bad guys' crosshairs -- such programs as AutoCAD 2007, Illustrator CS 4, Dreamweaver CS 5, Google Earth and Chrome, uTorrent, PowerPoint 2007 and 2010, Word 2007, Groove 2007, Visio 2003 and 2010, Foxit Reader, Firefox, Thunderbird, and WinRAR appear on the vulnerable lists -- you can safely assume we've only seen a tiny slice of all the exploits due to plague us shortly.
More -
How to thwart the new DLL hijacks | Anti virus - InfoWorld


My System SpecsSystem Spec
.

29 Aug 2010   #2

 
 

My System SpecsSystem Spec
30 Aug 2010   #3
NoN

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
 
 

From JMH link.

Quote:
Let's take a deep breath, step back, and take a closer look.
DLL Hijacking requires two files: a data file (more accurately, a file with a filename extension that's associated with a program that's susceptible to DLL hijacking) and a jiggered DLL file. In most cases, both files have to reside in the same folder. Yes, the rogue DLL can be in a different folder, but if somebody can plant a bad DLL in your system folder, you're hosed anyway.
Most companies block network access (WebDAV and SMB) at the corporate firewall. So most companies (and most users) are primarily concerned about getting infected by a pair of files sitting in a folder on a USB drive, a network share, a CD, possibly inside the same ZIP file, or some similar location. Typically, the victim navigates to the folder in Windows Explorer and double-clicks on the data file, thus invoking the vulnerable program that runs the jiggered DLL, which sits in the same folder. That isn't the only way to get infected from a DLL hijacking exploit, but from what I've seen it's by far the most common.
I have two recommendations.
First, never double-click on a file that's in a potentially compromised location. Drag it to your desktop, then open it.
If you want to open a Word document that's sitting on a USB drive, for example, drag the file onto your desktop and open it from there. If you see a PPT file on a network share, drag it to your desktop and open it. Have a Visio VSD inside a ZIP file? Extract the VSD from the ZIP first, then open it. Since the DLL hijacking trick (almost) always requires that the two files sit in the same folder, simply dragging the data file somewhere else breaks the link and foils the hijack.
Second, make Windows show you filename extensions and hidden files.
I've been preaching about this for a decade, but every Windows user should be allowed to see filename extensions and hidden files. If you or your users are savvy enough to spot a DLL file sitting in an unusual location, you could readily prevent a hijacking.

I've been always "show filename extensions" and it happenned sometimes me double clicking inside a folder, but now looks that recommendation in this actual place, will make me never do it...
My System SpecsSystem Spec
.


30 Aug 2010   #4

Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
 
 

This download does not fix the problem but allows you to set some register settings that restrict your programs. The bad part is some of your programs may stop working so its not for the faint of heart. Read the following.

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Jim
My System SpecsSystem Spec
30 Aug 2010   #5
NoN

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
 
 

Quote   Quote: Originally Posted by Phone Man View Post
This download does not fix the problem but allows you to set some register settings that restrict your programs. The bad part is some of your programs may stop working so its not for the faint of heart. Read the following.

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Jim
I'm aware of that, and some could follow this discuss over there for better understanding. i did applyed the two registry settings five days ago (not the downloadable patch yet)...still no issues.

Cross-fingered!

Researcher: 40 Windows Apps Affected by Critical Flaw
My System SpecsSystem Spec
30 Aug 2010   #6

Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
 
 

Quote   Quote: Originally Posted by NoN View Post
Quote   Quote: Originally Posted by Phone Man View Post
This download does not fix the problem but allows you to set some register settings that restrict your programs. The bad part is some of your programs may stop working so its not for the faint of heart. Read the following.

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Jim
I'm aware of that, and some could follow this discuss over there for better understanding. i did applyed the two registry settings five days ago (not the downloadable patch yet)...still no issues.

Cross-fingered!

Researcher: 40 Windows Apps Affected by Critical Flaw
I just wanted to clarify the information so someone would not assume just downloading the file would fix the problem. My understanding is that you needed to download the patch for the registry settings to work. I am sure we will see lots of updates coming out as everyone scrambles to fix their products.

Jim
My System SpecsSystem Spec
30 Aug 2010   #7
NoN

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
 
 

Quote   Quote: Originally Posted by Phone Man View Post
Quote   Quote: Originally Posted by NoN View Post
Quote   Quote: Originally Posted by Phone Man View Post

This download does not fix the problem but allows you to set some register settings that restrict your programs. The bad part is some of your programs may stop working so its not for the faint of heart. Read the following.

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Jim
I'm aware of that, and some could follow this discuss over there for better understanding. i did applyed the two registry settings five days ago (not the downloadable patch yet)...still no issues.

Cross-fingered!

Researcher: 40 Windows Apps Affected by Critical Flaw
I just wanted to clarify the information so someone would not assume just downloading the file would fix the problem. My understanding is that you needed to download the patch for the registry settings to work. I am sure we will see lots of updates coming out as everyone scrambles to fix their products.

Jim
Yes i saw that, i've got to save some work before applying the patches after the registry change. Well i'm doing it in two steps!. Better do a restore point before....

I'm sure those manufacturers will be part paid by MS to patch their products soon!
My System SpecsSystem Spec
30 Aug 2010   #8

Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
 
 

Quote   Quote: Originally Posted by NoN View Post
Quote   Quote: Originally Posted by Phone Man View Post
Quote   Quote: Originally Posted by NoN View Post

I'm aware of that, and some could follow this discuss over there for better understanding. i did applyed the two registry settings five days ago (not the downloadable patch yet)...still no issues.

Cross-fingered!

Researcher: 40 Windows Apps Affected by Critical Flaw
I just wanted to clarify the information so someone would not assume just downloading the file would fix the problem. My understanding is that you needed to download the patch for the registry settings to work. I am sure we will see lots of updates coming out as everyone scrambles to fix their products.

Jim
Yes i saw that, i've got to save some work before applying the patches after the registry change. Well i'm doing it in two steps!. Better do a restore point before....

I'm sure those manufacturers will be part paid by MS to patch their products soon!
Let us know how it works out and if it breaks any programs. Glad we have a brave "tester" on board.

Jim
My System SpecsSystem Spec
05 Sep 2010   #9
NoN

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
 
 

Quote   Quote: Originally Posted by Phone Man View Post
Quote   Quote: Originally Posted by NoN View Post
Quote   Quote: Originally Posted by Phone Man View Post

I just wanted to clarify the information so someone would not assume just downloading the file would fix the problem. My understanding is that you needed to download the patch for the registry settings to work. I am sure we will see lots of updates coming out as everyone scrambles to fix their products.

Jim
Yes i saw that, i've got to save some work before applying the patches after the registry change. Well i'm doing it in two steps!. Better do a restore point before....

I'm sure those manufacturers will be part paid by MS to patch their products soon!
Let us know how it works out and if it breaks any programs. Glad we have a brave "tester" on board.

Jim
Patch kb 2264107 installed after recreated the registry key CWDIllegalInDllSearch in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager", set to 1.

Might test the others options while i'm in...!

Let see all that next few days!
My System SpecsSystem Spec
05 Sep 2010   #10
JMH

Win 7 Ultimate 64-bit. SP1.
 
 

Quote:
Escape from Windows DLL security hell

Simply avoiding certain websites and downloads won't shield you from the DLL library loading hack, but this advice will help

The Windows DLL library loading vulnerability is gaining hacker attention. Although no one can accurately predict the next "big one," malicious cyber fiends are likely to use this exploit method against innocent computer users.

The threat is unlikely to go as big as, say, Code Red or the SQL Slammer worm because fully remote worm attacks are always more likely to spread than something that requires human interaction. Still, it has plenty of long-term potential. I -- and every other security expert -- recommend taking a few basic precautions to help diminish risk within your companies and at home.

For those of you not already intimately familiar with the details of the vulnerability, several months ago a Slovenian computer security company, ACROS Security, (re)discovered a code problem within many popular programs, one that is exacerbated by the way Windows handles executing code. ACROS is to be commended for reporting its finding to Microsoft on March 24 and working with Microsoft (my employer) to try and come up with a best solution. By the way, there isn't a single, best fix.
Source -
Escape from Windows DLL security hell | Security Central - InfoWorld
My System SpecsSystem Spec
Reply

 How to thwart the new DLL hijacks




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 04:03 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33