BleepingComputer.com: Windows DLL Vulnerability and how to mitigate it.

As many of you may have read, it has been found that launching files from a vulnerable Windows program could allow malicious programs to be loaded automatically without your permission. These malicious programs would have full access to your computer, which includes accessing sensitive data or installing other files onto your computer without your permission.

This vulnerability is caused by how Windows handles DLL files. When programmers create a program they are supposed to specify the specific locations that their applications will load DLL files from. If they do not specify the location, then Windows will search for the desired DLL in numerous locations on a computer. The vulnerability can be exploited because Windows will attempt to load a DLL from the same folder as a file that is being opened by the application.

This vulnerability could then be set off when a user opens a file in a folder, remote file share, USB drive, etc that also contains a malicious DLL that has the same name as a legitimate DLL that the application would normally open. As Windows will attempt to open a DLL from the same folder as the file, Windows will instead load the malicious DLL and not the legitimate one. Once the malicious DLL is loaded, the malware/hacker have access to do what they want on your computer.

Though, this is not the first we have heard about this vulnerability, the latest news has definitely fired off a storm of updates by software vendors to fix their applications. Unfortunately, this problem is not one that can be fixed by Microsoft as it will break far too many programs. Instead software vendors should follow the practices put out by Microsoft that explain how a program should specify the specific locations a program's DLLs should be loaded from. As numerous programs have not been following these policies, they need to update their programs to resolve these security issues.

Therefore, it is important that you make sure your computer has the latest updates for the programs that you use. A great tool for finding vulnerable and out-dated programs is Secunia PSI. A tutorial on how to use this program can be found here:

How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Microsoft has already released Microsoft Security Advisory (2269637), which explains this vulnerability as well as provides methods and a tool that can be used to disable the loading of libraries from remote network or WebDAV shares. There is also an unofficial list of vulnerable applications here.

I suggest everyone use Secunia PSI and read the Microsoft advisory in order to properly protect your computer.

Whilst it's true Microsoft can't fix this directly, it's amazing just how many Microsoft programs are listed as being open to this sort of attack.

Yes, I agree there is no excuse for not following their own policies.

FYI, I am getting an NSIS error after downloading and trying to install the PSI program. I'm going through the instructions for fixing that issue, as it may be related to settings in my system. Will keep you posted.

Note that you need to load the appropriate Tool (at the bottom of the Tool link) first and then run the "Fixit" utility link on the same page above it.

This will add a registry command here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\CWDIllegalInDLLSearch

and sets the string value to 2, which blocks all remote attacks. It doesn't block any existing vulnerabilities you may have already on programs currently running on your machine. To do that you need to change the string value to "FFFFFFFF," which implements a system-wide block against this threat.

I've done this and haven't had any problems, but if there are any programs you are running which encounter imcompatibilities, you simply change the string value for that application back to 2.

Sounds harder than it is -- takes 5 minutes as explained here: http://blogs.technet.com/b/srd/archive/201...ack-vector.aspx

Hope this helps. Cheers, -- S

Grinler, on Aug 30 2010, 09:45 AM, said:

Secunia has just released, as of 1 Sept, 2010, a public beta of PSI version 2. It has LIMITED capabilities to update programs automagically. The beta can be found at Secunia PSI 2.0 public beta. And of course, their online scanner, at Secunia OSI online scanner which pushes a Java applet to your machine is fairly quick, but not as sophisticated or having the coverage that the client-side scanner has.

/s/ OldTimer

must be why adobe keeps telling me to update all their products?

I have been using PSI for a little while and It did find some problem programs and I fixed them. IMHO it's a great little program.