Honestly, until its tested, and Abiet I would do a lot of testing with this one. ( Especially applications loaded from shares, which it seems everyone has) I wouldn't start going to rush out the work-arounds in the MSKB. I can see this defintely breaking functionality or even the applications themselves accordingly, which is basically causing a DOS on your part.
Disabling Web Client, and blocking SMB inbound and bound is a good first start which has been mentioned in blogs, ( also WEB Client has come up on the vulnerability landscape a few times over the past few years, so might be the best hardening step for workstations by disabling it) This one is definitely going to get more ugly before it gets better, that is for sure. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: HELP_PC [mailto:[email protected]] Sent: Tuesday, August 24, 2010 10:59 AM To: NT System Admin Issues Subject: R: DLL hijacking vulnerabilities Without breaking anything? Not so evident to me GuidoElia HELPPC ________________________________ Da: Andrew S. Baker [mailto:[email protected]] Inviato: martedì 24 agosto 2010 16.27 A: NT System Admin Issues Oggetto: Re: DLL hijacking vulnerabilities Yes, there is. If you understand the nature of the vulnerability, that is. Because of the way the search path works you can hijack a missing DLL for any application. Now, you have a way to prevent that from being exploited remotely. ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... Signature powered by WiseStamp <http://www.wisestamp.com/email-install> On Tue, Aug 24, 2010 at 10:00 AM, HELP_PC <[email protected]> wrote: You mean there isn't. And workarounds on KB 2269637 are really idiot GuidoElia HELPPC ________________________________ Da: Andrew S. Baker [mailto:[email protected]] Inviato: martedì 24 agosto 2010 15.41 A: NT System Admin Issues Oggetto: DLL hijacking vulnerabilities There is now an Microsoft-supplied workaround for the DLL vulnerability that was publicized below: http://www.computerworld.com/s/article/9180978/Zero_day_Windows_bug_problem_worse_than_first_thought_says_expert See the following: DLL hijacking vulnerabilities https://isc.sans.edu/diary.html?storyid=9445 Insecure Library Loading Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/2269637.mspx More information about the DLL Preloading remote attack vector http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm http://support.microsoft.com/kb/2264107 ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... Signature powered by WiseStamp <http://www.wisestamp.com/email-install> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
