I don't get it. Why limit this to C:\Program Files (not to mention that enumerating and setting registry values for all possible programs under C:\Program Files is a lot of work)?
What example is there in nature (any COTS app installed with all its defaults) that would break for installing the patch and setting the Session Manager reg value to 2 ? Carl -----Original Message----- From: Marc Maiffret [mailto:[email protected]] Sent: Tuesday, August 24, 2010 4:44 PM To: NT System Admin Issues Subject: RE: DLL hijacking vulnerabilities It is being exploited all over the place that we are tracking. We are writing a blog post on the matter right now to be posted on http://blog.eeye.com soon given the massive number of exploit servers and exploit frameworks (criminal ones, not just metasploit) that have all been weaponized for this vulnerability. A lot of the exploits are over WebDAV and as such using the Microsoft hotfix and blocking webdav for applications started in C:\Program Files and I would suggest blocking the current working directory all together when it is an application started from \\remote\shareremote etc... This last sentence will make more sense if you read the spec in the MS KB article: http://support.microsoft.com/kb/2264107 -Marc -----Original Message----- From: Andrew S. Baker [mailto:[email protected]] Sent: Tuesday, August 24, 2010 9:17 AM To: NT System Admin Issues Subject: Re: DLL hijacking vulnerabilities Because it is being exploited more readily now... ASB (My XeeSM Profile) <http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... Signature powered by WiseStamp <http://www.wisestamp.com/email-install> On Tue, Aug 24, 2010 at 11:58 AM, Ben Scott <[email protected]> wrote: On Tue, Aug 24, 2010 at 9:40 AM, Andrew S. Baker <[email protected]> wrote: > There is now an Microsoft-supplied workaround for the DLL vulnerability that > was publicized below: I don't understand all the hoopla about this vulnerability. People have been complaining that the search path behavior in Microsoft systems is insecure for literally decades. People had this criticism for *MS-DOS*. Why is it suddenly getting attention? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
