HomeMalware
September 1, 2010, 9:38AM

Microsoft Publishes New FixIt Tool For DLL Bug

Microsoft has released some updated guidance on the recent DLL-hijacking bug, including a new FixIt tool that enables the workaround for the vulnerability that Microsoft shipped late last month.

The new guidance includes a detailed explanation of the bug itself as well as how potential attacks would work and what users can do to protect themselves. In a blog post, Jonathan Ness of the Microsoft Security Response Center Engineering Team, explained that there are a number of different potential attack vectors, including a WebDAV share.

"Unfortunately, based on attack patterns we have seen in recent years, we believe it is no longer safe to browse to a malicious, untrusted WebDAV server in the Internet Zone and double-click on any type of files. Attackers are clever, substituting dangerous file icons with safe, trusted file icons. They have even recently begun obfuscating the filename based on character encoding tricks (such as right-to-left character encoding). Their goal is to entice unsuspecting users into double-clicking on a malicious executable. With or without this new remote vector to the DLL Preloading issue, it’s very hard to make a trust decision given the amount of control an attacker has over the malicious WebDAV server browsing experience. We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker," Ness said.

Editor's Pick

Threatpost Newsletter Sign-up

The company has released a workaround for the DLL bug, which involved editing the registry to create a new entry. The solution also includes a downloadable tool. But the tool was turned off by default, fo Microsoft has now published a new FixIt tool that will automatically enable it.

Here are the steps that Microsoft recommends:

  • Install the tool from KB2264107.
  • Log on to your computer as an administrator.
  • Open Registry Editor.
  • Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  • Right-click Session Manager, point to New, and then click Dword Value.
  • Type CWDIllegalInDllSearch, and then click Modify.
  • In the Value data box, type 0xFFFFFFFF, and then click OK.

The company warns that there could be unforeseen issues, so users should test the fix before deploying it.

Commenting on this Article is closed.

Comments

Submitted by DiVinci (not verified) on Wed, 09/01/2010 - 7:53pm.

Having visited a 'Kaspersky' page and reviewing the latest comment on'Facebook', I was somewhat surprised to find a link to Facebook on the same page.

Submitted by Anonymous (not verified) on Fri, 09/03/2010 - 9:20am.
The Microsoft fixit on this problem, is a miserable failure. It's false security. And raises the noise level for a true solution. Furthermore has unknown future effects. I for example, keep some older applications and their dll's which make them run. Then along came .NET, now source code from only 4 years back was a complete waste of time since they have changed the dll's in .NET to where the code won't compile, and the app won't run. I think the problem with Microsoft, is they haven't ever designed a firewall to truly protect their OS all 65k ports, and every protocol needs to be controlled without a 3rd party. Really the only way to protect it now is to HIDE such workstations behind a hardware firewall with the 65K ports and protocols protected by the Hardware firewall. Windows firewall is a complete joke. Why I can close off port 137-139 in iptables, and not with the windows firewall? Why is it these damn services are such a pain to shut off!? It's the epitome of nonsense. And the ONLY cure is to be behind a Hardware Firewall, password protect all your passwords (don't save them in browsers), and have a HARDWARE backup, when you get hit, so you can schlep what's left of your unhacked passwords in short time via a live disk and your passwords on a write protected USB stick (like an immation clip for example.) And yet still there is no easily available low cost firewall appliances which (Have Low Noise), and (Use Low Power), oh sure if I want to spend 600 at supermicro.... This is one of those days where I *nearly hate* everyone. I am very grumpy, the insanity and hypocrisy is getting close to the snapping point. -- not mad at threatpost though...

 

Copyright © 2012 threatpost.com | Terms of Service | Privacy