Microsoft Offers Workaround For Remote DLL Vulnerability - gHacks Tech News

Microsoft Offers Workaround For Remote DLL Vulnerability

A vulnerability was recently discovered in Microsoft Windows operating systems that exploits the default dll loading behavior.

A Microsoft Security Advisory explains that the "issue is caused by specific insecure programming practices that allow so-called binary planting or DLL preloading attacks".

In simple terms: Applications that do not use qualified paths for external dynamic link libraries use Windows default settings to find those dlls on the system, and one of the first locations to be searched is the program directory, which can be a local or remote directory.

The exploit dlls simply have to be placed in those directories to be executed by applications. Affected are many popular programs, including Firefox, VLC, Opera, Photoshop, uTorrent or PowerPoint.

Microsoft published additional information about the DLL preloading remote attack vector in a blog post on the Security Research and Defense blog.

CWDIllegalInDllSearch

Among the information is a workaround that requires the creation of Registry keys to change the library loading behavior either on a system wide level, or for specific applications.

You can open the Registry Editor in the following way:

  1. Tap on the Windows-key, type regedit and hit enter.
  2. Confirm the UAC prompt.
  3. Navigate to the following path: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager/CWDIllegalInDllSearch
  4. Or this path, if you want to configure application-specific behavior: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/binaryname.exe/CWDIllegalInDllSearch

To create the CWDIllegalInDllSearch key, right-click on Session Manager and select New > Dword (32-bit Value) if you want to improve the protection on a system-wide level, or right-click on "Image File Execution Options, select New > Key, name it like the file name of the application you want to harden against the attack, and then right-click on the newly created key and select New > Dword (32-bit Value) as well to create CWDIllegalInDllSearch.

Both keys support the following values, which have different effects depending on the location of the application:

Scenario 1: The application is started from a local folder, such as C:\Program Files
0xffffffff Removes the current working directory from the default DLL search order.
0 Uses the default DLL search path. This is the Windows default, and the least secure setting.
1 Blocks a DLL load from the current working directory if the current working directory is set to a WebDAV folder.
2 Blocks a DLL load from the current working directory if the current working directory is set to a remote folder.

Scenario 2: The application is started from a remote folder, such as \\remote\share
0xffffffff Removes the current working directory from the default DLL search order.
0 Uses the default DLL search path. This is the Windows default, and the least secure setting.
1 Blocks a DLL load from the current working directory if the current working directory is set to a WebDAV folder.
2 Allows DLL load from the current working directory if the current working directory is set to a remote folder. DLL's that are loaded from a WebDAV share are blocked if the current working directory is set to a WebDAV share.

Scenario 3: The application is started from a WebDAV folder, such as http://remote/share
0xffffffff Removes the current working directory from the default DLL search order.
0 Uses the default DLL search path. This is the Windows default, and the least secure setting.

The suggested value is 0xffffffff as it protects the system against these types of dll side-loading attacks. Please note that you may run into compatibility issues when you are making the change on a system-wide level.

You can use the application-specific setting in this case to change the default value.

Summary
Microsoft Offers Workaround For Remote DLL Vulnerability
Article Name
Microsoft Offers Workaround For Remote DLL Vulnerability
Description
The article discusses Registry settings to harden the Windows operating system against DLL side-loading attacks.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. akbarri said on August 26, 2010 at 2:32 pm
      Reply

      Suggested Actions
      http://www.microsoft.com/technet/security/advisory/2269637.mspx
      Advisory Details > Mitigating Factors and Suggested Actions > Workarounds

      # Disable loading of libraries from WebDAV and remote network shares
      http://support.microsoft.com/kb/2264107

      # Disable the WebClient service
      To disable the WebClient Service, follow these steps:
      1. Click Start, click Run, type Services.msc and then click OK.
      2. Right-click WebClient service and select Properties.
      3. Change the Startup type to Disabled. If the service is running, click Stop.
      4. Click OK and exit the management application.

      # Block TCP ports 139 and 445 at the firewall
      http://technet.microsoft.com/en-us/library/cc977599.aspx
      or simply add 139 & 445 to ur Network Scanned Port @ AV/IS/Firewall Software

      1. Martin said on August 26, 2010 at 6:50 pm
        Reply

        Thanks for posting those.

    Leave a Reply