Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How to thwart the new DLL hijacks

05 Sep 2010   #11
CarlTR6

Windows 7 Ultimate 32 bit
 
 

Jan, very good information and a good thread. Thanks.


My System SpecsSystem Spec
.
05 Sep 2010   #12
JMH

Win 7 Ultimate 64-bit. SP1.
 
 

Quote:
Update on Security Advisory 2269637
Hi everyone,

Since we released Security Advisory 2269637 on August 23, we've continued to conduct an investigation not only into our own affected products, but also into how we can best help to protect customers given DLL preloading also affects some third-party applications. We'd like to provide an update on our investigation.

First, I want to be clear that Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers. This will primarily be in the form of security updates or defense-in-depth updates. Also, due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as important.

One of the goals we have at Microsoft is to make it easy for developers to create secure applications on our platform. As we stated in our previous blog post, DLL preloading is a well-known class of vulnerabilities and we have had guidance for developers in place for quite some time. We have recently updated that guidance to provide more clarity.

Even with improved guidance, we recognize that it may take quite a bit of time for all affected applications to be updated and for some, an update may not be possible. With the advisory, we released a tool to help customers protect their systems (see KB 2264107). This tool provides a framework for customers to modify the behavior of the DLL search path algorithm and essentially block unsafe DLL loading. When installed, this tool still needs to be configured in order to block malicious behavior, and customers have asked us for our recommended setting. As a result, our Security Research & Defense team has written a detailed blog post on this topic and has worked with our Microsoft Fix-it team to develop a Fix-it to enable our recommended setting which blocks most network-based attack vectors. (Please note that the tool needs to be installed prior to enabling the Fix-it.)
More -
Update on Security Advisory 2269637 - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
My System SpecsSystem Spec
06 Sep 2010   #13
NoN

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
 
 

Quote   Quote: Originally Posted by JMH View Post
Quote:
Update on Security Advisory 2269637
Hi everyone,

Since we released Security Advisory 2269637 on August 23, we've continued to conduct an investigation not only into our own affected products, but also into how we can best help to protect customers given DLL preloading also affects some third-party applications. We'd like to provide an update on our investigation.

First, I want to be clear that Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers. This will primarily be in the form of security updates or defense-in-depth updates. Also, due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as important.

One of the goals we have at Microsoft is to make it easy for developers to create secure applications on our platform. As we stated in our previous blog post, DLL preloading is a well-known class of vulnerabilities and we have had guidance for developers in place for quite some time. We have recently updated that guidance to provide more clarity.

Even with improved guidance, we recognize that it may take quite a bit of time for all affected applications to be updated and for some, an update may not be possible. With the advisory, we released a tool to help customers protect their systems (see KB 2264107). This tool provides a framework for customers to modify the behavior of the DLL search path algorithm and essentially block unsafe DLL loading. When installed, this tool still needs to be configured in order to block malicious behavior, and customers have asked us for our recommended setting. As a result, our Security Research & Defense team has written a detailed blog post on this topic and has worked with our Microsoft Fix-it team to develop a Fix-it to enable our recommended setting which blocks most network-based attack vectors. (Please note that the tool needs to be installed prior to enabling the Fix-it.)
More -
Update on Security Advisory 2269637 - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
Saw those news around, thanks for the remind.

By the way...looks the impact will be very low on a Windows 7 system as the path:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<application binary name>" is not loaded of Apps & Dll (surely on mine!).

I still got no probs at the moment on a Windows 7 x64 Pro version, after installing that KB & registry change.

In XP SP3, i think it will be a disaster to install this kb2264107 as the same path is fully loaded of Apps & DLL.

Didn't have time yet to check the path on Vista SP2...!
My System SpecsSystem Spec
.

07 Sep 2010   #14
Lomai

Win7 HP (x64)/Win7 Ultimate (x64)
 
 

Thanks all for the information provided

Regards
My System SpecsSystem Spec
07 Sep 2010   #15
CarlTR6

Windows 7 Ultimate 32 bit
 
 

Quote   Quote: Originally Posted by Lomai View Post
Thanks all for the information provided

Regards
Agreed. Very good information.
My System SpecsSystem Spec
07 Sep 2010   #16
Phone Man

Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
 
 

Quote   Quote: Originally Posted by NoN View Post
Quote   Quote: Originally Posted by Phone Man View Post
Quote   Quote: Originally Posted by NoN View Post

Yes i saw that, i've got to save some work before applying the patches after the registry change. Well i'm doing it in two steps!. Better do a restore point before....

I'm sure those manufacturers will be part paid by MS to patch their products soon!
Let us know how it works out and if it breaks any programs. Glad we have a brave "tester" on board.

Jim
Patch kb 2264107 installed after recreated the registry key CWDIllegalInDllSearch in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager", set to 1.

Might test the others options while i'm in...!

Let see all that next few days!
I did the update also and ran the FixIt from MS which sets the registry key to 2. This blocks all network loads of DLL's if the program is started on the local computer which is ALL my programs.

Jim
My System SpecsSystem Spec
07 Sep 2010   #17
NoN

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
 
 

Quote   Quote: Originally Posted by Phone Man View Post
Quote   Quote: Originally Posted by NoN View Post
Quote   Quote: Originally Posted by Phone Man View Post

Let us know how it works out and if it breaks any programs. Glad we have a brave "tester" on board.

Jim
Patch kb 2264107 installed after recreated the registry key CWDIllegalInDllSearch in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager", set to 1.

Might test the others options while i'm in...!

Let see all that next few days!
I did the update also and ran the FixIt from MS which sets the registry key to 2. This blocks all network loads of DLL's if the program is started on the local computer which is ALL my programs.

Jim
Hi there,

Glad you are on test aswell...i'm set on registry Option 1, that had for an effect to block the dll to load in any of their configurations.

yours are:
DLL Registry Key Option 2 is blocked in this config:
C:\\Program Files
and
DLL Registry Key Options 2 is allowed in this config:
\\remote\shareremote\share

Set to 1 is manually registry change and i didn't run the MS Fix it to automated the solution.

Gonna try aswell their Fix it option.

PS: Vista SP2 and the registry path is the same config as in Windows 7....
My System SpecsSystem Spec
09 Sep 2010   #18
Anak

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Morning everyone,

Just recieved this in the morning mail. I think ? it is a different slant on the subject....
A threat to common ".dll" files hits many apps

What really caught my eye was the part about the router adjustments.

I will have to brush up on what is posted here, and report back.
My System SpecsSystem Spec
09 Sep 2010   #19
CarlTR6

Windows 7 Ultimate 32 bit
 
 

Good information, Anak, especially the router adjustments. Thanks.
My System SpecsSystem Spec
09 Sep 2010   #20
Phone Man

Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
 
 

Here is a link to track the programs that are vulnerable and which ones have a fix. Scroll down for a list by vendor. For the ones that show fixed, click on the SAID and it will show the fix on that page. Most times it shows what version has the fix. These are the programs that Secunia has verified.

Insecure Library Loading - Advisories - Community

Jim
My System SpecsSystem Spec
Reply

 How to thwart the new DLL hijacks




Thread Tools




Similar help and support threads
Thread Forum
which program hijacks my dial up phone line?
Hi, I am in a place where there is only dial up. I bought a usb dial up modem because my laptop is mini and has no dial up modem. I am using windows 7. The modem worked well for a couple of hours but then stopped. When I try to connect now I get the 'no dial tone' error message. If I...
Hardware & Devices


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:28.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App