The other pain part is a lot of application developers don't know that their applications are vulnerable or require everyone that uses the application to have change (share) and modify (NTFS) ( or even Full) permissions to run their application or they have application issues and blame it on security.
SANS ISC page makes a reference to auditing the application shares accordingly, which is all nice and well, but to audit on success/failure of write on a .dll on a active share is basically going to make your audit logs look like soup, and be of no value soon after you implement it. So that coupled with the numerous applications that are vulnerable and the hackers are already starting to write exploits and use this as another attack vector, so that defintely raises the risk level accordingly. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Andrew S. Baker [mailto:[email protected]] Sent: Tuesday, August 24, 2010 11:58 AM To: NT System Admin Issues Subject: Re: DLL hijacking vulnerabilities You're welcome. I haven't yet seen that they plan to roll it our as a security update, but that is not outside the realm of possibilities. And I would like to see the default changed, if it is rolled out that way. To me, the vulnerability is interesting, because it takes advantage of the failure of a specific application AND the default behavior of Windows as it pertains to that failure. Given that there are now hundreds of applications that are affected by this, and there is no way that they'll all be updated at the same time (or that they'll all be updated at all), I'm glad they've taken steps to mitigate it. I'm waiting to see how many Microsoft apps fall into this category, too. :) I agree with you that changing the default via a security/critical update would be most beneficial to a greater number of people -- many of whom cannot easily fend for themselves. ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... Signature powered by WiseStamp <http://www.wisestamp.com/email-install> On Tue, Aug 24, 2010 at 10:59 AM, Carl Houseman <[email protected]> wrote: Thanks ASB. I'm guessing that MS expects the solution cycle for this vuln will take some time, therefore they took the unusual step of creating a patch to mitigate it. Question is, will the patch and registry value be rolled out as a security/critical update? The most vulnerable computers/users are those without an I.T. staff to automate the patch install and reghack. How many soho/home users would notice if their local applications could not access DLLs on WEBDAV or remote shares? Less than .001% I'd bet - but still too many? Most any business with an infrastructure that can't deal with the DLL restriction would also have WSUS controlling patch rollout - so I say, make it the new default for everyone else. Carl From: Andrew S. Baker [mailto:[email protected]] Sent: Tuesday, August 24, 2010 9:41 AM To: NT System Admin Issues Subject: DLL hijacking vulnerabilities There is now an Microsoft-supplied workaround for the DLL vulnerability that was publicized below: http://www.computerworld.com/s/article/9180978/Zero_day_Windows_bug_prob lem_worse_than_first_thought_says_expert See the following: DLL hijacking vulnerabilities https://isc.sans.edu/diary.html?storyid=9445 Insecure Library Loading Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/2269637.mspx More information about the DLL Preloading remote attack vector http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about -dll-preloading-remote-attack-vector.aspx A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm http://support.microsoft.com/kb/2264107 ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... Signature powered by WiseStamp <http://www.wisestamp.com/email-install> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
