If an attacker can get his .DLL into your local CWD, he can probably get his .EXE to run on your computer as well, so why bother with the .DLL-based attack.
Point is, the MS patch and reg value=2 has a very slim chance of breaking something and provides excellent protection against known attack vectors for locally installed apps. Maybe it's not 100% protection for 100% of businesses, and it's not a guarantee against future attacks, but if you spend all your time worrying about all future possibilities and not doing something that takes care of TODAY, well that's just foolish. Carl -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Thursday, August 26, 2010 11:16 AM To: NT System Admin Issues Subject: Re: Insecure Library Loading Vulnerability On Thu, Aug 26, 2010 at 11:11 AM, Carl Houseman <[email protected]> wrote: >> Only CWDIllegalInDllSearch=INT_MAX would cause the problem. > > See my response to ASB. Those who are setting the registry value to INT_MAX > don't understand the problem they are trying to prevent. See my response to Carl Houseman. ;-) The "this isn't being attacked yet" mentality is the root cause of a great many security compromises. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
