Thursday, August 26, 2010

Protection From DLL Vulnerability with WinPatrol PLUS

The day after Microsoft released Security Advisory 2269637 (relating to a remote attack vector to a class of vulnerabilities affecting applications that load DLL’s in an insecure manner), the first exploits were released. These exploits were identified as targeting programs including Firefox, uTorrent BitTorrent client, and Microsoft PowerPoint. As reported by Peter Van Eeckhoutte in DLL Hijacking (KB 2269637) – the unofficial list, the list is much longer now and includes many well known applications.

The MSRC Blog reported that Microsoft conducting investigations into how this vector may affect Microsoft products. In addition, Microsoft released KB Article 2264107, which includes a new CWDIllegalInDllSearch registry entry to control the DLL search path algorithm:
"The update allows the administrator to define the following on a system-wide or a per-application basis:
  • Remove the current working directory from the library search path.
  • Prevent an application from loading a library from a WebDAV location.
  • Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location."
That may be fine for IT Professionals, but what about home computer users? If, like me, you use WinPatrol PLUS, you have at your fingertips a simple method of adding protection from the DLL (CWDIllegalInDllSearch) vulnerability. Bill Pytlovany added the entries to include in WinPatrol Registry Monitoring Scripts . With this simple entry, WinPatrol will notify you if anyone tries to create and change this value from a non-zero value.

Edit Note: The instructions have been updated to change the following question by ky331 and response by Bill Pytlovany after his discussions with some folks at Microsoft. (See the Comments below.)

The steps are simple. Start by launching WinPatrol, select the "Registry Monitoring" tab and click Add:


As illustrated in the simple steps below, a new window will open to add the item to be monitored.




  • Registry Key: In the Registry Key selection drop-down, make sure HKEY_LOCAL_MACHINE is selected.



  • Type or copy/paste the following in the space provided under Registry Key:
    SYSTEM\CurrentControlSet\Control\Session Manager



  • Name: In the Name space, type or copy/paste CWDIllegalInDllSearch



  • Value: In the space for Value, type 1 (the number one).



  • Value Type: In the drop-down box, select REG_DWORD



  • Click the Add button.


  • The results:


    It is that simple with WinPatrol PLUS! Unemployed and unable to afford a license? Be sure to check out WinPatrol Supports Unemployed Job Seekers.




    References:

    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, WinPatrol, Information, Advisory, Vulnerabilities, How-to, WinPatrol,




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    4 comments:

    ky331 said...

    I'm not sure that I'm following the WinPatrol "protection"...
    As I read it, Scotty will sound an alert any time the CWDIllegalInDllSearch registry item is not set to 0 (here, 0=follow the default .dll path).
    However, the Microsoft Advisory indicates that the non-default value(s) of 1 (or 2)
    "Blocks a DLL Load from the current working directory if the current working directory is set to a WebDAV folder" (or remote folder, respectively).
    So it seems to me that these non-default values offer more protection/blocking.

    Unknown said...
    This comment has been removed by the author.
    Unknown said...

    Thank you for your comment. After discussions with some folks at Microsoft they feel setting the value to 1 or 2 would best protect users who wanted to use WinPatrol to let them know of any change.

    Ultimately however they recommend scrolling down the article http://support.microsoft.com/kb/2264107 and having folks download the appropriate fix that Microsoft has made available.

    When I ran the fix on my system, it actually changed the value to 1.


    Thanks again for your comment.
    Bill

    test said...

    DLL hijacking vulnerability, which was released last week, results in some programs no longer working properly.So you should use application protection for this.