Windows DLL bug hits dozens of apps

Borg 386

ADHD Senior Member
Guru
Gold Member
VIP
Local time
4:09 AM
Messages
5,489
Location
In a house with a cat trying to kill me
A flaw in the way Windows handles DLL (dynamic-link library) and related files likely affects hundreds of applications and has already been used in malicious attacks in the wild, a security researcher said on Tuesday.

Microsoft acknowledged in an advisory on Monday a type of attack mechanism known as DLL preloading, or binary planting and said that while it is not new it does have a new remote-attack vector. Malicious code can now be planted on a network share instead of just on a local system, making it much easier to attack vulnerable systems by duping people into clicking on malicious Web links or opening malicious documents.

Now, the Exploit-db.com exploit database is getting flooded with submissions of applications that people say are vulnerable, including Windows Live Mail, Windows Movie Maker, Microsoft PowerPoint 2010, Office 2007, and non-Microsoft applications like Firefox 3.6.8, Foxit Reader, Wireshark and uTorrent, said Mati Aharoni, founder of security firm Offensive Security, which runs the exploit database.
Read More:

Windows DLL bug hits dozens of apps | Security - CNET News
 

My Computer My Computer

At a glance

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1,...Intel Core 2 Duo 2.93GHzNot much with my ADHDATI Radeon HD 4350
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Hell oh Well
OS
Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
CPU
Intel Core 2 Duo 2.93GHz
Memory
Not much with my ADHD
Graphics Card(s)
ATI Radeon HD 4350
Monitor(s) Displays
24" HDTV/Monitor
Screen Resolution
Blurry after a Scotch or 2
Hard Drives
1 HDD 250 GB, 1 HDD 1 TB, 3 - 1 TB Externals
Case
Don't get on my case...man :D
Cooling
I have an Air Conditioner & Diet Pepsi
Keyboard
Saitek Cyborg
Mouse
10 yr old MS optical mouse that still works
Internet Speed
Never fast enough
Antivirus
Various
Browser
Various

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
Don't you just love this consistent race to keep ahead :D
 

My Computer My Computer

At a glance

Windows 7 Pro 64 bitIntel(R) Core(TM) i7 CPU 870 @ 2.93GHz4GBNVIDIA GeForce GTX 470
Computer Manufacturer/Model Number
Proline
OS
Windows 7 Pro 64 bit
CPU
Intel(R) Core(TM) i7 CPU 870 @ 2.93GHz
Motherboard
H55-G43(MS-7638)
Memory
4GB
Graphics Card(s)
NVIDIA GeForce GTX 470
Sound Card
Onboard
Monitor(s) Displays
Proline LCD 19 inch
Screen Resolution
1280 x 1024
Hard Drives
2 x SATA 250 Gig 1 x External 2TB
PSU
RX 730 SS
Case
Proline
Cooling
Standard
Keyboard
PS2
Mouse
PS2
Internet Speed
To embarrassed to tell lol
At this point this is more like the race of the "researchers" trying to keep their names ahead of other researchers.

I've got a serious security announcement. Windows is insecure because users are allowed to install programs. Programs that may contain trojans. In fact ALL OSes (that are not admin locked down tight) are compeltely vunerable to this attack.

I suggest that all OS vendors now adopt a policy of not allowing any prgram or plugin installs after OS install to close this hole.

(There is significantly zero difference between "somehow" replacing a DLL in a program folder and replacing the exe itself or installing a new exe containing the exact same malicious payloads)
 

My Computer My Computer

At a glance

Windows 7 x64 Ultimatei7 96012 Gig Corsair DominatorNvidia 480
Computer Manufacturer/Model Number
Scratch built
OS
Windows 7 x64 Ultimate
CPU
i7 960
Motherboard
Asus P6X58D
Memory
12 Gig Corsair Dominator
Graphics Card(s)
Nvidia 480
Sound Card
Maudio Delta 44 + breakout box
Monitor(s) Displays
Dell UltraSharp U2410 24in and Samsung 21 dual monitors
Screen Resolution
1920x1200 and 1280x1024
Hard Drives
Primary: Intel X-25M G2 160G SSD
Secondary: Segate baracuda 1.0 TB
HDs in AHCI mode.
PSU
Corasair TX850
Case
Cooler Master HAF
Cooling
Corsair H50
Keyboard
Logitech G15 + N52 game pad
Mouse
Logitech MX518
Internet Speed
15kbs down 4.5kbps up
Other Info
WEI 7.6
CPU & RAM 7.6
Graphics 7.9
Hard disk 7.7

My Computer My Computer

At a glance

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1,...Intel Core 2 Duo 2.93GHzNot much with my ADHDATI Radeon HD 4350
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Hell oh Well
OS
Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
CPU
Intel Core 2 Duo 2.93GHz
Memory
Not much with my ADHD
Graphics Card(s)
ATI Radeon HD 4350
Monitor(s) Displays
24" HDTV/Monitor
Screen Resolution
Blurry after a Scotch or 2
Hard Drives
1 HDD 250 GB, 1 HDD 1 TB, 3 - 1 TB Externals
Case
Don't get on my case...man :D
Cooling
I have an Air Conditioner & Diet Pepsi
Keyboard
Saitek Cyborg
Mouse
10 yr old MS optical mouse that still works
Internet Speed
Never fast enough
Antivirus
Various
Browser
Various
Someone needs to be the guinea pig and test this on a test machine. From reading the article, there is a good chance that installing it may break nearly every single installed program on your machine since nearly every single installed program (of any heft) runs with DLLs in it's CWD and all programs default to allowing the OS to "search" for them rather than load them by hand.

The number of programs that work and how deeply they work till they break could vary greatly.
 

My Computer My Computer

At a glance

Windows 7 x64 Ultimatei7 96012 Gig Corsair DominatorNvidia 480
Computer Manufacturer/Model Number
Scratch built
OS
Windows 7 x64 Ultimate
CPU
i7 960
Motherboard
Asus P6X58D
Memory
12 Gig Corsair Dominator
Graphics Card(s)
Nvidia 480
Sound Card
Maudio Delta 44 + breakout box
Monitor(s) Displays
Dell UltraSharp U2410 24in and Samsung 21 dual monitors
Screen Resolution
1920x1200 and 1280x1024
Hard Drives
Primary: Intel X-25M G2 160G SSD
Secondary: Segate baracuda 1.0 TB
HDs in AHCI mode.
PSU
Corasair TX850
Case
Cooler Master HAF
Cooling
Corsair H50
Keyboard
Logitech G15 + N52 game pad
Mouse
Logitech MX518
Internet Speed
15kbs down 4.5kbps up
Other Info
WEI 7.6
CPU & RAM 7.6
Graphics 7.9
Hard disk 7.7
Someone needs to be the guinea pig and test this on a test machine. From reading the article, there is a good chance that installing it may break nearly every single installed program on your machine since nearly every single installed program (of any heft) runs with DLLs in it's CWD and all programs default to allowing the OS to "search" for them rather than load them by hand.

The number of programs that work and how deeply they work till they break could vary greatly.

Yeah I was kinda wondering about that after I saw what it involved

The patch breaks Chrome. When opening Chrome, it says it cannot find the file avutil-50.dll .

It appears the MS Tool does not actually add the CWDIllegalInDllSearch registry value, rather it just updates the .dll's outlined in A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm . Can someone verify this on their systems. I tested the update on XP SP3 and Win 7. Manual creation of the registry key seems to be needed.

Read More:

DLL hijacking vulnerabilities
 

My Computer My Computer

At a glance

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1,...Intel Core 2 Duo 2.93GHzNot much with my ADHDATI Radeon HD 4350
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Hell oh Well
OS
Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
CPU
Intel Core 2 Duo 2.93GHz
Memory
Not much with my ADHD
Graphics Card(s)
ATI Radeon HD 4350
Monitor(s) Displays
24" HDTV/Monitor
Screen Resolution
Blurry after a Scotch or 2
Hard Drives
1 HDD 250 GB, 1 HDD 1 TB, 3 - 1 TB Externals
Case
Don't get on my case...man :D
Cooling
I have an Air Conditioner & Diet Pepsi
Keyboard
Saitek Cyborg
Mouse
10 yr old MS optical mouse that still works
Internet Speed
Never fast enough
Antivirus
Various
Browser
Various
Excellent info. Thank you.
 

My Computer My Computer

At a glance

Windows 7Quad Core8GB
OS
Windows 7
CPU
Quad Core
Memory
8GB
Hard Drives
1TB
Here's a list of actual potentially vulnerable applications: DLL Hijacking (KB 2269637) – the unofficial list (Peter Van Eeckhoutte).

In the event a program is "broken" by the Microsoft tool, if you use WinPatrol PLUS, with this simple entry, WinPatrol will notify you if anyone tries to create and change the value.

The steps are simple. Start by launching WinPatrol, select the "Registry Monitoring" tab and click Add. A new window will open to add the item to be monitored.

  • Registry Key: In the Registry Key selection drop-down, make sure HKEY_LOCAL_MACHINE is selected.
  • Type or copy/paste the following in the space provided under Registry Key:
SYSTEM\CurrentControlSet\Control\Session Manager

  • Name: In the Name space, type or copy/paste CWDIllegalInDllSearch
  • Value: In the space for Value, type 1 (the number one).
  • Value Type: In the drop-down box, select REG_DWORD
  • Click the Add button.

If additional information is needed, illustrations are included in my blog post Protection From DLL Vulnerability with WinPatrol PLUS.
 

My Computer My Computer

At a glance

Windows 7 & Windows Vista Ultimate
OS
Windows 7 & Windows Vista Ultimate
Thanx Corrine....

I hope MS fixes this soon...like I have any time for anything anymore.

Incredible...school just started and I'm already up to my *ss in homework.:sarc:
 

My Computer My Computer

At a glance

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1,...Intel Core 2 Duo 2.93GHzNot much with my ADHDATI Radeon HD 4350
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Hell oh Well
OS
Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
CPU
Intel Core 2 Duo 2.93GHz
Memory
Not much with my ADHD
Graphics Card(s)
ATI Radeon HD 4350
Monitor(s) Displays
24" HDTV/Monitor
Screen Resolution
Blurry after a Scotch or 2
Hard Drives
1 HDD 250 GB, 1 HDD 1 TB, 3 - 1 TB Externals
Case
Don't get on my case...man :D
Cooling
I have an Air Conditioner & Diet Pepsi
Keyboard
Saitek Cyborg
Mouse
10 yr old MS optical mouse that still works
Internet Speed
Never fast enough
Antivirus
Various
Browser
Various
There is the download in KB 2264107. Perhaps it will be rolled in to a SP. However, I am thinking that Microsoft may only be able to address Microsoft products because I gather the details may vary from application to application. Thus, I gather this is not just a Microsoft issue.
 

My Computer My Computer

At a glance

Windows 7 & Windows Vista Ultimate
OS
Windows 7 & Windows Vista Ultimate
Update on Security Advisory 2269673

(Cross-posting due to multiple topics on this issue.)

As described in the Security, Research & Defense blog (linked below), the following would need to occur in order to be exploited:
"this class of vulnerabilities could allow malicious code to run if an attacker can convince a victim to do the following:

  • Browse to a malicious, untrusted WebDAV server in the Internet Zone; and
  • Double-click a file that appears by its extension and icon to be safe"
Microsoft plans to address the Microsoft products affected by this issue, primarily be in the form of security updates or defense-in-depth updates. However, as to third-party products, it is up to those vendors to provide patches for their affected software, which may take some time or, as Jerry Bryant indicated, may not be possible. As a result, the Microsoft Fix it Team has developed a Fix it solution to enable the Microsoft-recommended setting which blocks most network-based vectors.

Microsoft Fix it 50522 Steps:

  1. Download and then install update 2264107, available from the bottom of the page at KB 2264107.
  2. From the same page, click the Fix it button or link under the Enable this fix it heading. Click Run in the File Download dialog box, and then follow the steps in the fix it wizard.

    The Fix it solution will deploy the registry entry that is needed to block nonsecure DLL loads from WebDAV and SMB locations.
Note: The tool is limited to protecting against DLL preloading only and does not protect against .exe files that do not properly load files via a fully qualified path. As stated previously, the software vendors will be required to update those applications accordingly.


 

My Computer My Computer

At a glance

Windows 7 & Windows Vista Ultimate
OS
Windows 7 & Windows Vista Ultimate
Back
Top