Microsoft has released some updated guidance on the recent DLL-hijacking bug, including a new FixIt tool that enables the workaround for the vulnerability that Microsoft shipped late last month.
The new guidance includes a detailed explanation of the bug itself as well as how potential attacks would work and what users can do to protect themselves. In a blog post, Jonathan Ness of the Microsoft Security Response Center Engineering Team, explained that there are a number of different potential attack vectors, including a WebDAV share.
“Unfortunately, based on attack patterns we have seen in recent years,
we believe it is no longer safe to browse to a malicious, untrusted
WebDAV server in the Internet Zone and double-click on any
type of files. Attackers are clever, substituting dangerous file icons
with safe, trusted file icons. They have even recently begun obfuscating
the filename based on character encoding tricks (such as right-to-left
character encoding). Their goal is to entice unsuspecting users into
double-clicking on a malicious executable. With or without this new
remote vector to the DLL Preloading issue, it’s very hard to make a
trust decision given the amount of control an attacker has over the
malicious WebDAV server browsing experience. We recommend users only
double-click on file icons from WebDAV shares known to be trusted, safe,
and not under the control of a malicious attacker,” Ness said.
The company has released a workaround for the DLL bug, which involved editing the registry to create a new entry. The solution also includes a downloadable tool. But the tool was turned off by default, fo Microsoft has now published a new FixIt tool that will automatically enable it.
Here are the steps that Microsoft recommends:
- Install the tool from KB2264107.
- Log on to your computer as an administrator.
- Open Registry Editor.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager
- Right-click Session Manager, point to New, and then click Dword Value.
- Type CWDIllegalInDllSearch, and then click Modify.
- In the Value data box, type 0xFFFFFFFF, and then click OK.
The company warns that there could be unforeseen issues, so users should test the fix before deploying it.