The MSRC Blog reported that Microsoft conducting investigations into how this vector may affect Microsoft products. In addition, Microsoft released KB Article 2264107, which includes a new CWDIllegalInDllSearch registry entry to control the DLL search path algorithm:
"The update allows the administrator to define the following on a system-wide or a per-application basis:That may be fine for IT Professionals, but what about home computer users? If, like me, you use WinPatrol PLUS, you have at your fingertips a simple method of adding protection from the DLL (CWDIllegalInDllSearch) vulnerability. Bill Pytlovany added the entries to include in WinPatrol Registry Monitoring Scripts . With this simple entry, WinPatrol will notify you if anyone tries to create and change this value from a non-zero value.
- Remove the current working directory from the library search path.
- Prevent an application from loading a library from a WebDAV location.
- Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location."
Edit Note: The instructions have been updated to change the following question by ky331 and response by Bill Pytlovany after his discussions with some folks at Microsoft. (See the Comments below.)
The steps are simple. Start by launching WinPatrol, select the "Registry Monitoring" tab and click Add:
As illustrated in the simple steps below, a new window will open to add the item to be monitored.
It is that simple with WinPatrol PLUS! Unemployed and unable to afford a license? Be sure to check out WinPatrol Supports Unemployed Job Seekers.
- BillP Studios: WinPatrol Registry Monitoring Scripts
- DLL Hijacking (KB 2269637) – the unofficial list (Peter Van Eeckhoutte)
- KB 2264107: A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm
- ISC SANS: DLL hijacking vulnerabilities
- Firefox, uTorrent, and PowerPoint hit by Windows DLL bug
- Knowledge Base article 2264107
- MSRC Blog: Microsoft Security Advisory 2269637 Released
- SR&D Blog: More information about the DLL Preloading remote attack vector
- TechNet: Security Advisory 2269637
Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, WinPatrol, Information, Advisory, Vulnerabilities, How-to, WinPatrol,