It is being exploited all over the place that we are tracking. We are writing a blog post on the matter right now to be posted on http://blog.eeye.com soon given the massive number of exploit servers and exploit frameworks (criminal ones, not just metasploit) that have all been weaponized for this vulnerability.
A lot of the exploits are over WebDAV and as such using the Microsoft hotfix and blocking webdav for applications started in C:\Program Files and I would suggest blocking the current working directory all together when it is an application started from \\remote\shareremote etc... This last sentence will make more sense if you read the spec in the MS KB article: http://support.microsoft.com/kb/2264107 -Marc -----Original Message----- From: Andrew S. Baker [mailto:[email protected]] Sent: Tuesday, August 24, 2010 9:17 AM To: NT System Admin Issues Subject: Re: DLL hijacking vulnerabilities Because it is being exploited more readily now... ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... Signature powered by WiseStamp <http://www.wisestamp.com/email-install> On Tue, Aug 24, 2010 at 11:58 AM, Ben Scott <[email protected]> wrote: On Tue, Aug 24, 2010 at 9:40 AM, Andrew S. Baker <[email protected]> wrote: > There is now an Microsoft-supplied workaround for the DLL vulnerability that > was publicized below: I don't understand all the hoopla about this vulnerability. People have been complaining that the search path behavior in Microsoft systems is insecure for literally decades. People had this criticism for *MS-DOS*. Why is it suddenly getting attention? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
