Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows DLL Vulnerability and how to mitigate it.


  • Please log in to reply
7 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:42 PM

Posted 30 August 2010 - 09:45 AM

As many of you may have read, it has been found that launching files from a vulnerable Windows program could allow malicious programs to be loaded automatically without your permission. These malicious programs would have full access to your computer, which includes accessing sensitive data or installing other files onto your computer without your permission.

This vulnerability is caused by how Windows handles DLL files. When programmers create a program they are supposed to specify the specific locations that their applications will load DLL files from. If they do not specify the location, then Windows will search for the desired DLL in numerous locations on a computer. The vulnerability can be exploited because Windows will attempt to load a DLL from the same folder as a file that is being opened by the application.

This vulnerability could then be set off when a user opens a file in a folder, remote file share, USB drive, etc that also contains a malicious DLL that has the same name as a legitimate DLL that the application would normally open. As Windows will attempt to open a DLL from the same folder as the file, Windows will instead load the malicious DLL and not the legitimate one. Once the malicious DLL is loaded, the malware/hacker have access to do what they want on your computer.

Though, this is not the first we have heard about this vulnerability, the latest news has definitely fired off a storm of updates by software vendors to fix their applications. Unfortunately, this problem is not one that can be fixed by Microsoft as it will break far too many programs. Instead software vendors should follow the practices put out by Microsoft that explain how a program should specify the specific locations a program's DLLs should be loaded from. As numerous programs have not been following these policies, they need to update their programs to resolve these security issues.

Therefore, it is important that you make sure your computer has the latest updates for the programs that you use. A great tool for finding vulnerable and out-dated programs is Secunia PSI. A tutorial on how to use this program can be found here:
How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Microsoft has already released Microsoft Security Advisory (2269637), which explains this vulnerability as well as provides methods and a tool that can be used to disable the loading of libraries from remote network or WebDAV shares. There is also an unofficial list of vulnerable applications here.

I suggest everyone use Secunia PSI and read the Microsoft advisory in order to properly protect your computer.



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:42 AM

Posted 30 August 2010 - 11:34 AM

Whilst it's true Microsoft can't fix this directly, it's amazing just how many Microsoft programs are listed as being open to this sort of attack.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:42 PM

Posted 30 August 2010 - 04:27 PM

Yes, I agree there is no excuse for not following their own policies.

#4 callupchuck

callupchuck

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 31 August 2010 - 08:29 AM

FYI, I am getting an NSIS error after downloading and trying to install the PSI program. I'm going through the instructions for fixing that issue, as it may be related to settings in my system. Will keep you posted.

#5 smak451

smak451

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 04 September 2010 - 10:13 AM

Note that you need to load the appropriate Tool (at the bottom of the Tool link) first and then run the "Fixit" utility link on the same page above it.

This will add a registry command here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\CWDIllegalInDLLSearch

and sets the string value to 2, which blocks all remote attacks. It doesn't block any existing vulnerabilities you may have already on programs currently running on your machine. To do that you need to change the string value to "FFFFFFFF," which implements a system-wide block against this threat.

I've done this and haven't had any problems, but if there are any programs you are running which encounter imcompatibilities, you simply change the string value for that application back to 2.

Sounds harder than it is -- takes 5 minutes as explained here: http://blogs.technet.com/b/srd/archive/201...ack-vector.aspx

Hope this helps. Cheers, -- S

#6 OldTimeCoder

OldTimeCoder

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:Midwest, USA
  • Local time:09:42 PM

Posted 05 September 2010 - 12:51 AM

o o o
Therefore, it is important that you make sure your computer has the latest updates for the programs that you use. A great tool for finding vulnerable and out-dated programs is Secunia PSI. A tutorial on how to use this program can be found here: http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/ How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
o o o

Secunia has just released, as of 1 Sept, 2010, a public beta of PSI version 2. It has LIMITED capabilities to update programs automagically. The beta can be found at Secunia PSI 2.0 public beta. And of course, their online scanner, at Secunia OSI online scanner which pushes a Java applet to your machine is fairly quick, but not as sophisticated or having the coverage that the client-side scanner has. :thumbsup:

/s/ OldTimer

Edited by OldTimeCoder, 05 September 2010 - 12:53 AM.


#7 teamo

teamo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 06 September 2010 - 12:43 AM

must be why adobe keeps telling me to update all their products?

#8 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:08:42 PM

Posted 06 September 2010 - 06:35 AM

I have been using PSI for a little while and It did find some problem programs and I fixed them. IMHO it's a great little program.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users