How to thwart the new DLL hijacks

JMH

Banned
Local time
7:34 AM
Messages
6,448
Earlier this week I wrote in Tech Watch about a whole new class of Windows zero-day vulnerabilities, warning that a wave of attacks would arrive soon.

Like night after day, the exploits have appeared, as Gregg Keizer explains in his Computerworld article "Windows DLL exploits boom." Two separate websites -- the Exploit Database's DLL Hijacking Vulnerable Applications list and Peter Van Eeckhoutte's DLL Hijacking Unofficial list -- currently have details on more than 80 Windows applications that are susceptible to this kind of security breach.

With so many application heavyweights in the bad guys' crosshairs -- such programs as AutoCAD 2007, Illustrator CS 4, Dreamweaver CS 5, Google Earth and Chrome, uTorrent, PowerPoint 2007 and 2010, Word 2007, Groove 2007, Visio 2003 and 2010, Foxit Reader, Firefox, Thunderbird, and WinRAR appear on the vulnerable lists -- you can safely assume we've only seen a tiny slice of all the exploits due to plague us shortly.
More -
How to thwart the new DLL hijacks | Anti virus - InfoWorld
 

My Computer My Computer

At a glance

Win 7 Ultimate 64-bit. SP1.Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6...8 DDR 3 RAM. 1066MHZATI 1024 MB. DDR3. Radeon HD5650
Computer Manufacturer/Model Number
LAPTOP. HP Pavilion dv7-4010TX .
OS
Win 7 Ultimate 64-bit. SP1.
CPU
Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6MB Cache.]
Memory
8 DDR 3 RAM. 1066MHZ
Graphics Card(s)
ATI 1024 MB. DDR3. Radeon HD5650
Monitor(s) Displays
17.3" High Definition Brightview LCD. LED Backlit.
Screen Resolution
1600 x 900.
Hard Drives
640GB
Case
Laptop / notebook.
Mouse
Logitech Anywhere mouse. MX.
Internet Speed
ADSL [ but too slow ]

My Computer My Computer

At a glance

Win7 x64i5-3570K2x4GB Rip Jaws 8-9-9-24Asus R9 280X
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Black Shadow IV
OS
Win7 x64
CPU
i5-3570K
Motherboard
Asrock Z77 Extreme4
Memory
2x4GB Rip Jaws 8-9-9-24
Graphics Card(s)
Asus R9 280X
Sound Card
X-Fi Extreme Music
Monitor(s) Displays
Dell U2412M
Screen Resolution
1920x1200
Hard Drives
Samsung Evo 250GB /
OCZ Vertex 4 128GB
PSU
Seasonic 660XP2
Case
Fractal Design R4
Cooling
Noctua NH-U12S
From JMH link.

Let's take a deep breath, step back, and take a closer look.
DLL Hijacking requires two files: a data file (more accurately, a file with a filename extension that's associated with a program that's susceptible to DLL hijacking) and a jiggered DLL file. In most cases, both files have to reside in the same folder. Yes, the rogue DLL can be in a different folder, but if somebody can plant a bad DLL in your system folder, you're hosed anyway.
Most companies block network access (WebDAV and SMB) at the corporate firewall. So most companies (and most users) are primarily concerned about getting infected by a pair of files sitting in a folder on a USB drive, a network share, a CD, possibly inside the same ZIP file, or some similar location. Typically, the victim navigates to the folder in Windows Explorer and double-clicks on the data file, thus invoking the vulnerable program that runs the jiggered DLL, which sits in the same folder. That isn't the only way to get infected from a DLL hijacking exploit, but from what I've seen it's by far the most common.
I have two recommendations.
First, never double-click on a file that's in a potentially compromised location. Drag it to your desktop, then open it.
If you want to open a Word document that's sitting on a USB drive, for example, drag the file onto your desktop and open it from there. If you see a PPT file on a network share, drag it to your desktop and open it. Have a Visio VSD inside a ZIP file? Extract the VSD from the ZIP first, then open it. Since the DLL hijacking trick (almost) always requires that the two files sit in the same folder, simply dragging the data file somewhere else breaks the link and foils the hijack.
Second, make Windows show you filename extensions and hidden files.
I've been preaching about this for a decade, but every Windows user should be allowed to see filename extensions and hidden files. If you or your users are savvy enough to spot a DLL file sitting in an unusual location, you could readily prevent a hijacking.


I've been always "show filename extensions" and it happenned sometimes me double clicking inside a folder, but now looks that recommendation in this actual place, will make me never do it...
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]Ivy Bridge Core i5 3570K (Delidded)G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)Asus Dual-RX480-O4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
CPU
Ivy Bridge Core i5 3570K (Delidded)
Motherboard
Asus P8Z77-V LE PLUS
Memory
G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)
Graphics Card(s)
Asus Dual-RX480-O4G
Sound Card
Creative Sound Blaster Z w/5.1 sound system
Monitor(s) Displays
Asus IPS 23"
Screen Resolution
16/9
Hard Drives
Internal:
500Go Sata 6Gb/s (x2)
500Go Sata 3Gb/s (x2)
SSD 60Go Sata 6Gb/s
PSU
In Win C 900W Series 80+ Platinum
Case
Thermaltake Chaser A71
Cooling
Custom Water Cooling Loop
Keyboard
Cooler Master QuickFire XTi
Mouse
Razer Imperator 2012 (4G)
Antivirus
MSE
Browser
IE 11.0.xxx Rtm
Other Info
"Raid0" with Intel Smart Response Technology (HDD/SSD)

My Computer My Computer

At a glance

Windows 8.1 Pro w/Media Center 64bit, Windows...Phenom II X6 1100TCrucial Balistic 8gb DDR3-1866 CL9MSI R6850 Cyclone IGD5 PE
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home Built
OS
Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
CPU
Phenom II X6 1100T
Motherboard
ASUS M5A99X EVO
Memory
Crucial Balistic 8gb DDR3-1866 CL9
Graphics Card(s)
MSI R6850 Cyclone IGD5 PE
Sound Card
On Board
Monitor(s) Displays
ASUS VE258Q 25" LED with DVI-HDMI-DisplayPort
Screen Resolution
1920 x 1080
Hard Drives
Two WD Cavier Black 2TB Sata III, WD My Book Essential 2TB USB 3.0
PSU
Seasonic X650 80 Plus GOLD Modular
Case
Corsair 400R
Cooling
Antec Kuhler H2O 620, Two 120mm and four 140mm
Keyboard
Logitech K120
Mouse
Logitech Marble Mouse USB, Logitech Precision Game Pad
Internet Speed
15MB
Antivirus
Norton IS 2013, Malwarebytes Pro Beta 2
Browser
IE-11, FF-27
Other Info
APC UPS ES 750, Netgear WNR3500L Gigabit & Wireless N Router with SamKnows Test Program, Motorola SB6120 Gigabit Cable Modem. Brother HL-2170W Laser Printer, Epson V300 Scanner

This download does not fix the problem but allows you to set some register settings that restrict your programs. The bad part is some of your programs may stop working so its not for the faint of heart. Read the following.

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Jim :geek:

I'm aware of that, and some could follow this discuss over there for better understanding. i did applyed the two registry settings five days ago (not the downloadable patch yet)...still no issues.

Cross-fingered! :)

http://www.sevenforums.com/news/105481-researcher-40-windows-apps-affected-critical-flaw.html
 

My Computer My Computer

At a glance

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]Ivy Bridge Core i5 3570K (Delidded)G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)Asus Dual-RX480-O4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
CPU
Ivy Bridge Core i5 3570K (Delidded)
Motherboard
Asus P8Z77-V LE PLUS
Memory
G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)
Graphics Card(s)
Asus Dual-RX480-O4G
Sound Card
Creative Sound Blaster Z w/5.1 sound system
Monitor(s) Displays
Asus IPS 23"
Screen Resolution
16/9
Hard Drives
Internal:
500Go Sata 6Gb/s (x2)
500Go Sata 3Gb/s (x2)
SSD 60Go Sata 6Gb/s
PSU
In Win C 900W Series 80+ Platinum
Case
Thermaltake Chaser A71
Cooling
Custom Water Cooling Loop
Keyboard
Cooler Master QuickFire XTi
Mouse
Razer Imperator 2012 (4G)
Antivirus
MSE
Browser
IE 11.0.xxx Rtm
Other Info
"Raid0" with Intel Smart Response Technology (HDD/SSD)

This download does not fix the problem but allows you to set some register settings that restrict your programs. The bad part is some of your programs may stop working so its not for the faint of heart. Read the following.

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Jim :geek:

I'm aware of that, and some could follow this discuss over there for better understanding. i did applyed the two registry settings five days ago (not the downloadable patch yet)...still no issues.

Cross-fingered! :)

http://www.sevenforums.com/news/105481-researcher-40-windows-apps-affected-critical-flaw.html

I just wanted to clarify the information so someone would not assume just downloading the file would fix the problem. My understanding is that you needed to download the patch for the registry settings to work. I am sure we will see lots of updates coming out as everyone scrambles to fix their products.

Jim :cool:
 

My Computer My Computer

At a glance

Windows 8.1 Pro w/Media Center 64bit, Windows...Phenom II X6 1100TCrucial Balistic 8gb DDR3-1866 CL9MSI R6850 Cyclone IGD5 PE
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home Built
OS
Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
CPU
Phenom II X6 1100T
Motherboard
ASUS M5A99X EVO
Memory
Crucial Balistic 8gb DDR3-1866 CL9
Graphics Card(s)
MSI R6850 Cyclone IGD5 PE
Sound Card
On Board
Monitor(s) Displays
ASUS VE258Q 25" LED with DVI-HDMI-DisplayPort
Screen Resolution
1920 x 1080
Hard Drives
Two WD Cavier Black 2TB Sata III, WD My Book Essential 2TB USB 3.0
PSU
Seasonic X650 80 Plus GOLD Modular
Case
Corsair 400R
Cooling
Antec Kuhler H2O 620, Two 120mm and four 140mm
Keyboard
Logitech K120
Mouse
Logitech Marble Mouse USB, Logitech Precision Game Pad
Internet Speed
15MB
Antivirus
Norton IS 2013, Malwarebytes Pro Beta 2
Browser
IE-11, FF-27
Other Info
APC UPS ES 750, Netgear WNR3500L Gigabit & Wireless N Router with SamKnows Test Program, Motorola SB6120 Gigabit Cable Modem. Brother HL-2170W Laser Printer, Epson V300 Scanner
This download does not fix the problem but allows you to set some register settings that restrict your programs. The bad part is some of your programs may stop working so its not for the faint of heart. Read the following.

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Jim :geek:

I'm aware of that, and some could follow this discuss over there for better understanding. i did applyed the two registry settings five days ago (not the downloadable patch yet)...still no issues.

Cross-fingered! :)

http://www.sevenforums.com/news/105481-researcher-40-windows-apps-affected-critical-flaw.html

I just wanted to clarify the information so someone would not assume just downloading the file would fix the problem. My understanding is that you needed to download the patch for the registry settings to work. I am sure we will see lots of updates coming out as everyone scrambles to fix their products.

Jim :cool:

Yes i saw that, i've got to save some work before applying the patches after the registry change. Well i'm doing it in two steps!:huh:. Better do a restore point before....

I'm sure those manufacturers will be part paid by MS to patch their products soon!
 

My Computer My Computer

At a glance

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]Ivy Bridge Core i5 3570K (Delidded)G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)Asus Dual-RX480-O4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
CPU
Ivy Bridge Core i5 3570K (Delidded)
Motherboard
Asus P8Z77-V LE PLUS
Memory
G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)
Graphics Card(s)
Asus Dual-RX480-O4G
Sound Card
Creative Sound Blaster Z w/5.1 sound system
Monitor(s) Displays
Asus IPS 23"
Screen Resolution
16/9
Hard Drives
Internal:
500Go Sata 6Gb/s (x2)
500Go Sata 3Gb/s (x2)
SSD 60Go Sata 6Gb/s
PSU
In Win C 900W Series 80+ Platinum
Case
Thermaltake Chaser A71
Cooling
Custom Water Cooling Loop
Keyboard
Cooler Master QuickFire XTi
Mouse
Razer Imperator 2012 (4G)
Antivirus
MSE
Browser
IE 11.0.xxx Rtm
Other Info
"Raid0" with Intel Smart Response Technology (HDD/SSD)
I'm aware of that, and some could follow this discuss over there for better understanding. i did applyed the two registry settings five days ago (not the downloadable patch yet)...still no issues.

Cross-fingered! :)

http://www.sevenforums.com/news/105481-researcher-40-windows-apps-affected-critical-flaw.html

I just wanted to clarify the information so someone would not assume just downloading the file would fix the problem. My understanding is that you needed to download the patch for the registry settings to work. I am sure we will see lots of updates coming out as everyone scrambles to fix their products.

Jim :cool:

Yes i saw that, i've got to save some work before applying the patches after the registry change. Well i'm doing it in two steps!:huh:. Better do a restore point before....

I'm sure those manufacturers will be part paid by MS to patch their products soon!

Let us know how it works out and if it breaks any programs. Glad we have a brave "tester" on board.

Jim :geek:
 

My Computer My Computer

At a glance

Windows 8.1 Pro w/Media Center 64bit, Windows...Phenom II X6 1100TCrucial Balistic 8gb DDR3-1866 CL9MSI R6850 Cyclone IGD5 PE
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home Built
OS
Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
CPU
Phenom II X6 1100T
Motherboard
ASUS M5A99X EVO
Memory
Crucial Balistic 8gb DDR3-1866 CL9
Graphics Card(s)
MSI R6850 Cyclone IGD5 PE
Sound Card
On Board
Monitor(s) Displays
ASUS VE258Q 25" LED with DVI-HDMI-DisplayPort
Screen Resolution
1920 x 1080
Hard Drives
Two WD Cavier Black 2TB Sata III, WD My Book Essential 2TB USB 3.0
PSU
Seasonic X650 80 Plus GOLD Modular
Case
Corsair 400R
Cooling
Antec Kuhler H2O 620, Two 120mm and four 140mm
Keyboard
Logitech K120
Mouse
Logitech Marble Mouse USB, Logitech Precision Game Pad
Internet Speed
15MB
Antivirus
Norton IS 2013, Malwarebytes Pro Beta 2
Browser
IE-11, FF-27
Other Info
APC UPS ES 750, Netgear WNR3500L Gigabit & Wireless N Router with SamKnows Test Program, Motorola SB6120 Gigabit Cable Modem. Brother HL-2170W Laser Printer, Epson V300 Scanner
I just wanted to clarify the information so someone would not assume just downloading the file would fix the problem. My understanding is that you needed to download the patch for the registry settings to work. I am sure we will see lots of updates coming out as everyone scrambles to fix their products.

Jim :cool:

Yes i saw that, i've got to save some work before applying the patches after the registry change. Well i'm doing it in two steps!:huh:. Better do a restore point before....

I'm sure those manufacturers will be part paid by MS to patch their products soon!

Let us know how it works out and if it breaks any programs. Glad we have a brave "tester" on board.

Jim :geek:

Patch kb 2264107 installed after recreated the registry key CWDIllegalInDllSearch in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager", set to 1.

Might test the others options while i'm in...!:huh:

Let see all that next few days! :sarc::confused::)
 

My Computer My Computer

At a glance

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]Ivy Bridge Core i5 3570K (Delidded)G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)Asus Dual-RX480-O4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
CPU
Ivy Bridge Core i5 3570K (Delidded)
Motherboard
Asus P8Z77-V LE PLUS
Memory
G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)
Graphics Card(s)
Asus Dual-RX480-O4G
Sound Card
Creative Sound Blaster Z w/5.1 sound system
Monitor(s) Displays
Asus IPS 23"
Screen Resolution
16/9
Hard Drives
Internal:
500Go Sata 6Gb/s (x2)
500Go Sata 3Gb/s (x2)
SSD 60Go Sata 6Gb/s
PSU
In Win C 900W Series 80+ Platinum
Case
Thermaltake Chaser A71
Cooling
Custom Water Cooling Loop
Keyboard
Cooler Master QuickFire XTi
Mouse
Razer Imperator 2012 (4G)
Antivirus
MSE
Browser
IE 11.0.xxx Rtm
Other Info
"Raid0" with Intel Smart Response Technology (HDD/SSD)
Escape from Windows DLL security hell

Simply avoiding certain websites and downloads won't shield you from the DLL library loading hack, but this advice will help

The Windows DLL library loading vulnerability is gaining hacker attention. Although no one can accurately predict the next "big one," malicious cyber fiends are likely to use this exploit method against innocent computer users.

The threat is unlikely to go as big as, say, Code Red or the SQL Slammer worm because fully remote worm attacks are always more likely to spread than something that requires human interaction. Still, it has plenty of long-term potential. I -- and every other security expert -- recommend taking a few basic precautions to help diminish risk within your companies and at home.

For those of you not already intimately familiar with the details of the vulnerability, several months ago a Slovenian computer security company, ACROS Security, (re)discovered a code problem within many popular programs, one that is exacerbated by the way Windows handles executing code. ACROS is to be commended for reporting its finding to Microsoft on March 24 and working with Microsoft (my employer) to try and come up with a best solution. By the way, there isn't a single, best fix.
Source -
Escape from Windows DLL security hell | Security Central - InfoWorld
 

My Computer My Computer

At a glance

Win 7 Ultimate 64-bit. SP1.Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6...8 DDR 3 RAM. 1066MHZATI 1024 MB. DDR3. Radeon HD5650
Computer Manufacturer/Model Number
LAPTOP. HP Pavilion dv7-4010TX .
OS
Win 7 Ultimate 64-bit. SP1.
CPU
Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6MB Cache.]
Memory
8 DDR 3 RAM. 1066MHZ
Graphics Card(s)
ATI 1024 MB. DDR3. Radeon HD5650
Monitor(s) Displays
17.3" High Definition Brightview LCD. LED Backlit.
Screen Resolution
1600 x 900.
Hard Drives
640GB
Case
Laptop / notebook.
Mouse
Logitech Anywhere mouse. MX.
Internet Speed
ADSL [ but too slow ]
Jan, very good information and a good thread. Thanks.
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32 bitIntel(R) Pentium(R) 4 CPU 3.00GHz2.50 GB RAMNVIDIA GeForce 7600 GS
Computer Manufacturer/Model Number
Home built
OS
Windows 7 Ultimate 32 bit
CPU
Intel(R) Pentium(R) 4 CPU 3.00GHz
Motherboard
ASUS P4P800-VM Motherboard Chipset: Intel 865G + ICH5
Memory
2.50 GB RAM
Graphics Card(s)
NVIDIA GeForce 7600 GS
Sound Card
SoundMax Integrated Digital Audio (Chip)
Monitor(s) Displays
ViewSonic VX 1962 wm
Screen Resolution
1680 X 1050
Hard Drives
Seagate Barracuda 7200.10 80 GB
ST380215A ATA Device 18.6 GB
Western Digital "My Book" external hard drive 750 GB
Cooling
Fan based
Keyboard
Microsoft Comfort Curve Keyboard 2000 v10 USB
Mouse
Logitec optic USB
Internet Speed
3.01 Mb/s download 0.64 Mb/s upload
Update on Security Advisory 2269637
Hi everyone,

Since we released Security Advisory 2269637 on August 23, we've continued to conduct an investigation not only into our own affected products, but also into how we can best help to protect customers given DLL preloading also affects some third-party applications. We'd like to provide an update on our investigation.

First, I want to be clear that Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers. This will primarily be in the form of security updates or defense-in-depth updates. Also, due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as important.

One of the goals we have at Microsoft is to make it easy for developers to create secure applications on our platform. As we stated in our previous blog post, DLL preloading is a well-known class of vulnerabilities and we have had guidance for developers in place for quite some time. We have recently updated that guidance to provide more clarity.

Even with improved guidance, we recognize that it may take quite a bit of time for all affected applications to be updated and for some, an update may not be possible. With the advisory, we released a tool to help customers protect their systems (see KB 2264107). This tool provides a framework for customers to modify the behavior of the DLL search path algorithm and essentially block unsafe DLL loading. When installed, this tool still needs to be configured in order to block malicious behavior, and customers have asked us for our recommended setting. As a result, our Security Research & Defense team has written a detailed blog post on this topic and has worked with our Microsoft Fix-it team to develop a Fix-it to enable our recommended setting which blocks most network-based attack vectors. (Please note that the tool needs to be installed prior to enabling the Fix-it.)
More -
Update on Security Advisory 2269637 - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
 

My Computer My Computer

At a glance

Win 7 Ultimate 64-bit. SP1.Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6...8 DDR 3 RAM. 1066MHZATI 1024 MB. DDR3. Radeon HD5650
Computer Manufacturer/Model Number
LAPTOP. HP Pavilion dv7-4010TX .
OS
Win 7 Ultimate 64-bit. SP1.
CPU
Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6MB Cache.]
Memory
8 DDR 3 RAM. 1066MHZ
Graphics Card(s)
ATI 1024 MB. DDR3. Radeon HD5650
Monitor(s) Displays
17.3" High Definition Brightview LCD. LED Backlit.
Screen Resolution
1600 x 900.
Hard Drives
640GB
Case
Laptop / notebook.
Mouse
Logitech Anywhere mouse. MX.
Internet Speed
ADSL [ but too slow ]
Update on Security Advisory 2269637
Hi everyone,

Since we released Security Advisory 2269637 on August 23, we've continued to conduct an investigation not only into our own affected products, but also into how we can best help to protect customers given DLL preloading also affects some third-party applications. We'd like to provide an update on our investigation.

First, I want to be clear that Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers. This will primarily be in the form of security updates or defense-in-depth updates. Also, due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as important.

One of the goals we have at Microsoft is to make it easy for developers to create secure applications on our platform. As we stated in our previous blog post, DLL preloading is a well-known class of vulnerabilities and we have had guidance for developers in place for quite some time. We have recently updated that guidance to provide more clarity.

Even with improved guidance, we recognize that it may take quite a bit of time for all affected applications to be updated and for some, an update may not be possible. With the advisory, we released a tool to help customers protect their systems (see KB 2264107). This tool provides a framework for customers to modify the behavior of the DLL search path algorithm and essentially block unsafe DLL loading. When installed, this tool still needs to be configured in order to block malicious behavior, and customers have asked us for our recommended setting. As a result, our Security Research & Defense team has written a detailed blog post on this topic and has worked with our Microsoft Fix-it team to develop a Fix-it to enable our recommended setting which blocks most network-based attack vectors. (Please note that the tool needs to be installed prior to enabling the Fix-it.)
More -
Update on Security Advisory 2269637 - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs

Saw those news around, thanks for the remind.

By the way...looks the impact will be very low on a Windows 7 system as the path:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<application binary name>" is not loaded of Apps & Dll (surely on mine!).

I still got no probs at the moment on a Windows 7 x64 Pro version, after installing that KB & registry change.

In XP SP3, i think it will be a disaster to install this kb2264107 as the same path is fully loaded of Apps & DLL.

Didn't have time yet to check the path on Vista SP2...!
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]Ivy Bridge Core i5 3570K (Delidded)G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)Asus Dual-RX480-O4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
CPU
Ivy Bridge Core i5 3570K (Delidded)
Motherboard
Asus P8Z77-V LE PLUS
Memory
G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)
Graphics Card(s)
Asus Dual-RX480-O4G
Sound Card
Creative Sound Blaster Z w/5.1 sound system
Monitor(s) Displays
Asus IPS 23"
Screen Resolution
16/9
Hard Drives
Internal:
500Go Sata 6Gb/s (x2)
500Go Sata 3Gb/s (x2)
SSD 60Go Sata 6Gb/s
PSU
In Win C 900W Series 80+ Platinum
Case
Thermaltake Chaser A71
Cooling
Custom Water Cooling Loop
Keyboard
Cooler Master QuickFire XTi
Mouse
Razer Imperator 2012 (4G)
Antivirus
MSE
Browser
IE 11.0.xxx Rtm
Other Info
"Raid0" with Intel Smart Response Technology (HDD/SSD)
Thanks all for the information provided

Regards
 

My Computer My Computer

At a glance

Win7 HP (x64)/Win7 Ultimate (x64)Core i7 9206 x 2GB Corsair XMS3CF HD4890
Computer Manufacturer/Model Number
Custom
OS
Win7 HP (x64)/Win7 Ultimate (x64)
CPU
Core i7 920
Motherboard
Intel X58
Memory
6 x 2GB Corsair XMS3
Graphics Card(s)
CF HD4890
Sound Card
Asus Xonar
Monitor(s) Displays
Dell 2408WFP
Screen Resolution
1920 x 1200
Hard Drives
2 x 150GB WDC Velociraptors (Raid 0)
1 x 1TB Seagate
1 x 1.5TB Seagate
PSU
Corsair HX1000W
Case
Antec 1200
Keyboard
Razer Lycosa/N52te
Mouse
Razer Lachesis

My Computer My Computer

At a glance

Windows 7 Ultimate 32 bitIntel(R) Pentium(R) 4 CPU 3.00GHz2.50 GB RAMNVIDIA GeForce 7600 GS
Computer Manufacturer/Model Number
Home built
OS
Windows 7 Ultimate 32 bit
CPU
Intel(R) Pentium(R) 4 CPU 3.00GHz
Motherboard
ASUS P4P800-VM Motherboard Chipset: Intel 865G + ICH5
Memory
2.50 GB RAM
Graphics Card(s)
NVIDIA GeForce 7600 GS
Sound Card
SoundMax Integrated Digital Audio (Chip)
Monitor(s) Displays
ViewSonic VX 1962 wm
Screen Resolution
1680 X 1050
Hard Drives
Seagate Barracuda 7200.10 80 GB
ST380215A ATA Device 18.6 GB
Western Digital "My Book" external hard drive 750 GB
Cooling
Fan based
Keyboard
Microsoft Comfort Curve Keyboard 2000 v10 USB
Mouse
Logitec optic USB
Internet Speed
3.01 Mb/s download 0.64 Mb/s upload
Yes i saw that, i've got to save some work before applying the patches after the registry change. Well i'm doing it in two steps!:huh:. Better do a restore point before....

I'm sure those manufacturers will be part paid by MS to patch their products soon!

Let us know how it works out and if it breaks any programs. Glad we have a brave "tester" on board.

Jim :geek:

Patch kb 2264107 installed after recreated the registry key CWDIllegalInDllSearch in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager", set to 1.

Might test the others options while i'm in...!:huh:

Let see all that next few days! :sarc::confused::)

I did the update also and ran the FixIt from MS which sets the registry key to 2. This blocks all network loads of DLL's if the program is started on the local computer which is ALL my programs.

Jim :geek:
 

My Computer My Computer

At a glance

Windows 8.1 Pro w/Media Center 64bit, Windows...Phenom II X6 1100TCrucial Balistic 8gb DDR3-1866 CL9MSI R6850 Cyclone IGD5 PE
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home Built
OS
Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
CPU
Phenom II X6 1100T
Motherboard
ASUS M5A99X EVO
Memory
Crucial Balistic 8gb DDR3-1866 CL9
Graphics Card(s)
MSI R6850 Cyclone IGD5 PE
Sound Card
On Board
Monitor(s) Displays
ASUS VE258Q 25" LED with DVI-HDMI-DisplayPort
Screen Resolution
1920 x 1080
Hard Drives
Two WD Cavier Black 2TB Sata III, WD My Book Essential 2TB USB 3.0
PSU
Seasonic X650 80 Plus GOLD Modular
Case
Corsair 400R
Cooling
Antec Kuhler H2O 620, Two 120mm and four 140mm
Keyboard
Logitech K120
Mouse
Logitech Marble Mouse USB, Logitech Precision Game Pad
Internet Speed
15MB
Antivirus
Norton IS 2013, Malwarebytes Pro Beta 2
Browser
IE-11, FF-27
Other Info
APC UPS ES 750, Netgear WNR3500L Gigabit & Wireless N Router with SamKnows Test Program, Motorola SB6120 Gigabit Cable Modem. Brother HL-2170W Laser Printer, Epson V300 Scanner
Let us know how it works out and if it breaks any programs. Glad we have a brave "tester" on board.

Jim :geek:

Patch kb 2264107 installed after recreated the registry key CWDIllegalInDllSearch in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager", set to 1.

Might test the others options while i'm in...!:huh:

Let see all that next few days! :sarc::confused::)

I did the update also and ran the FixIt from MS which sets the registry key to 2. This blocks all network loads of DLL's if the program is started on the local computer which is ALL my programs.

Jim :geek:

Hi there,

Glad you are on test aswell...i'm set on registry Option 1, that had for an effect to block the dll to load in any of their configurations.

yours are:
DLL Registry Key Option 2 is blocked in this config:
C:\\Program Files
and
DLL Registry Key Options 2 is allowed in this config:
\\remote\shareremote\share

Set to 1 is manually registry change and i didn't run the MS Fix it to automated the solution.

Gonna try aswell their Fix it option.

PS: Vista SP2 and the registry path is the same config as in Windows 7....
 

My Computer My Computer

At a glance

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]Ivy Bridge Core i5 3570K (Delidded)G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)Asus Dual-RX480-O4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
CPU
Ivy Bridge Core i5 3570K (Delidded)
Motherboard
Asus P8Z77-V LE PLUS
Memory
G.Skill "Ares" DDR3 PC3-12800 - 1600MHz (16Gb)
Graphics Card(s)
Asus Dual-RX480-O4G
Sound Card
Creative Sound Blaster Z w/5.1 sound system
Monitor(s) Displays
Asus IPS 23"
Screen Resolution
16/9
Hard Drives
Internal:
500Go Sata 6Gb/s (x2)
500Go Sata 3Gb/s (x2)
SSD 60Go Sata 6Gb/s
PSU
In Win C 900W Series 80+ Platinum
Case
Thermaltake Chaser A71
Cooling
Custom Water Cooling Loop
Keyboard
Cooler Master QuickFire XTi
Mouse
Razer Imperator 2012 (4G)
Antivirus
MSE
Browser
IE 11.0.xxx Rtm
Other Info
"Raid0" with Intel Smart Response Technology (HDD/SSD)
Morning everyone,

Just recieved this in the morning mail. I think ? it is a different slant on the subject....
A threat to common ".dll" files hits many apps

What really caught my eye was the part about the router adjustments.

I will have to brush up on what is posted here, and report back.
 

My Computer My Computer

At a glance

Originally Win 7 Hm Prem x64 Ver 6.1.7600 Bui...Intel i3 530 2.93GHz, 2933MHz 2 Cores 4 Logic...6GB of 1,333MHz DDR3 SDRAM32MB Intel Graphics Media Accelerator HD IGChip
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Gateway DX4831-01e (Mid-Tower Desktop)
OS
Originally Win 7 Hm Prem x64 Ver 6.1.7600 Build 7601-SP1 | Upgraded to Windows 10 December 14, 2019
CPU
Intel i3 530 2.93GHz, 2933MHz 2 Cores 4 Logical Processors
Motherboard
Gateway H57M01 133 megahertz
Memory
6GB of 1,333MHz DDR3 SDRAM
Graphics Card(s)
32MB Intel Graphics Media Accelerator HD IGChip
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
Gateway HX2000 20inch TFT active matrix TN
Screen Resolution
1600 x 900 x 59 hertz
Hard Drives
WDC WD10EADS-00M2B0 [HDD] (1000.20 GB) -- drive 0,
HL-DT-ST DVDRAM GH41N [CD-ROM dr]
Four card readers, and Four USB 2.0
PSU
300watts.
Case
Mid-Tower Desktop
Cooling
Stock from Gateway
Keyboard
Natural Ergonomic Keyboard 4000, see Other Info
Mouse
Orig. Gateway wore out now using Insignia USB wired optical
Internet Speed
Vz FIOS 10ms png 57.64Mbps down 65.53Mbps up Speedtest.org
Antivirus
Zamana Anti-logger with Anti-malware, MSE, Windows Firewall,
Browser
IE11.0.9600.19399-Upd ver11.0.135, Firefox 68.0.1 x64
Other Info
System Specs by Belarc.

BIOS: American Megatrends Inc. P01-A0 11/17/2009

Replaced the MS 'Natural' Standard PS/2 Enhanced 101-102 Keyboard with a new Natural Ergonomic Keyboard 4000 on August 1st 2014.

Canon Pixma MG3222 Printer.

Updated to IE11 on 12102015 | Fios Quantum Router g1100

Additional AV: SpywareBlaster, manual Mbam, SAS
Good information, Anak, especially the router adjustments. Thanks.
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32 bitIntel(R) Pentium(R) 4 CPU 3.00GHz2.50 GB RAMNVIDIA GeForce 7600 GS
Computer Manufacturer/Model Number
Home built
OS
Windows 7 Ultimate 32 bit
CPU
Intel(R) Pentium(R) 4 CPU 3.00GHz
Motherboard
ASUS P4P800-VM Motherboard Chipset: Intel 865G + ICH5
Memory
2.50 GB RAM
Graphics Card(s)
NVIDIA GeForce 7600 GS
Sound Card
SoundMax Integrated Digital Audio (Chip)
Monitor(s) Displays
ViewSonic VX 1962 wm
Screen Resolution
1680 X 1050
Hard Drives
Seagate Barracuda 7200.10 80 GB
ST380215A ATA Device 18.6 GB
Western Digital "My Book" external hard drive 750 GB
Cooling
Fan based
Keyboard
Microsoft Comfort Curve Keyboard 2000 v10 USB
Mouse
Logitec optic USB
Internet Speed
3.01 Mb/s download 0.64 Mb/s upload
Here is a link to track the programs that are vulnerable and which ones have a fix. Scroll down for a list by vendor. For the ones that show fixed, click on the SAID and it will show the fix on that page. Most times it shows what version has the fix. These are the programs that Secunia has verified.

Insecure Library Loading - Advisories - Community

Jim :geek:
 

My Computer My Computer

At a glance

Windows 8.1 Pro w/Media Center 64bit, Windows...Phenom II X6 1100TCrucial Balistic 8gb DDR3-1866 CL9MSI R6850 Cyclone IGD5 PE
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home Built
OS
Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
CPU
Phenom II X6 1100T
Motherboard
ASUS M5A99X EVO
Memory
Crucial Balistic 8gb DDR3-1866 CL9
Graphics Card(s)
MSI R6850 Cyclone IGD5 PE
Sound Card
On Board
Monitor(s) Displays
ASUS VE258Q 25" LED with DVI-HDMI-DisplayPort
Screen Resolution
1920 x 1080
Hard Drives
Two WD Cavier Black 2TB Sata III, WD My Book Essential 2TB USB 3.0
PSU
Seasonic X650 80 Plus GOLD Modular
Case
Corsair 400R
Cooling
Antec Kuhler H2O 620, Two 120mm and four 140mm
Keyboard
Logitech K120
Mouse
Logitech Marble Mouse USB, Logitech Precision Game Pad
Internet Speed
15MB
Antivirus
Norton IS 2013, Malwarebytes Pro Beta 2
Browser
IE-11, FF-27
Other Info
APC UPS ES 750, Netgear WNR3500L Gigabit & Wireless N Router with SamKnows Test Program, Motorola SB6120 Gigabit Cable Modem. Brother HL-2170W Laser Printer, Epson V300 Scanner
Back
Top