Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Tens of Software Products Vulnerable To Simple Bug (softpedia.com)

Posted by timothy on from the everything's-simple-to-somebody dept.

An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.

162 comments

  1. What's a DLL? by Teun · · Score: 2, Funny

    The obvious question is; what's a DLL?

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    1. Re:What's a DLL? by Anonymous Coward · · Score: 4, Informative

      Dynamic linked library

    2. Re:What's a DLL? by Archangel+Michael · · Score: 5, Informative

      Dynamic Link Library. Typically a shared resource that can be dynamically loaded and unloaded when needed, and often shared among programs.

      The problem with DLLs are that there are many versions of the same DLL that often need to run at the same time. Which means that you can substitute one version for another, and hijack a program. Nothing new here.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    3. Re:What's a DLL? by Anonymous Coward · · Score: 4, Informative

      Dynamic-link library (also written unhyphenated), or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL, OCX (for libraries containing ActiveX controls), or DRV (for legacy system drivers). The file formats for DLLs are the same as for Windows EXE files – that is, Portable Executable (PE) for 32-bit and 64-bit Windows, and New Executable (NE) for 16-bit Windows. As with EXEs, DLLs can contain code, data, and resources, in any combination.

      https://en.wikipedia.org/wiki/Dynamic-link_library

    4. Re:What's a DLL? by Anonymous Coward · · Score: 0

      DLL (Dynamically Linked Library) contains executable code that can be loaded by one or multiple applications to provide extra functionality. That way, for example, the code of an API can be shared among multiple applications. In UNIX world DLLs are called Shared Objects.

    5. Re:What's a DLL? by lesincompetent · · Score: 5, Insightful

      The obvious questions are:
      - Why are you here?
      - Why the semicolon?

    6. Re:What's a DLL? by beschra · · Score: 1

      Nothing new here.

      And that's the point, right? It's nothing new yet some vendors with some very widely distributed software still have the vulnverability.

      --
      It is unwise to ascribe motive
    7. Re:What's a DLL? by Anonymous Coward · · Score: 0

      Dynamic-link library is Microsoft's implementation of shared library code.

    8. Re:What's a DLL? by Archangel+Michael · · Score: 3, Informative

      Nothing new, because it is how Windows was designed from the early days.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    9. Re:What's a DLL? by Zontar+The+Mindless · · Score: 1

      Do you even have a geek card to turn in? You've never heard of "DLL Hell"? WIll wonders never cease...

      --
      Il n'y a pas de Planet B.
    10. Re:What's a DLL? by Anonymous Coward · · Score: 0

      Digital Locked Loop.

    11. Re:What's a DLL? by Anonymous Coward · · Score: 1

      It's like cheese. If You wanna a sandwish You use already made cheese and don't need to milk a cow, then process the milk to turn into cheese. To me, 99.99% of anything is cheesy, unless it's not developed by me. That's explains the good cheese in the market from my perspective.

    12. Re:What's a DLL? by Anonymous Coward · · Score: 0

      As the other coward pointed out, Dynamic Link (not linked) Library. Basically it is an extension for your core program, a way that multiple programs can utilize the same set of functions for commonly used routines.

    13. Re:What's a DLL? by Anonymous Coward · · Score: 0

      We're talking about Windows... not the iPad "Pro"... or any variant of "linux on the desktop".

    14. Re:What's a DLL? by jones_supa · · Score: 3, Funny

      It's a shared object for a toy computer.

      Are you suggesting that Windows makes a toy computer? Wouldn't a toy GUI consist mostly of big colored squares, dumbed down applications, and a supervisor monitoring your usage patterns?

    15. Re:What's a DLL? by Gr8Apes · · Score: 1, Troll

      Are you suggesting that Windows makes a toy computer? Wouldn't a toy GUI consist mostly of big colored squares, dumbed down applications, and a supervisor monitoring your usage patterns?

      And I present .... METRO

      --
      The cesspool just got a check and balance.
    16. Re:What's a DLL? by Anonymous Coward · · Score: 0

      You can be a geek without ever suffering through a single Windows issue if you avoid Windows.

    17. Re:What's a DLL? by GIL_Dude · · Score: 4, Informative

      Although it is very true that it is how windows was designed from the early days, modern versions of windows do have protections against loading DLLs from network locations that applications simply have to opt in to. For those that are designed to be locally installed to have NOT adopted those defenses is just like not bothering to enable ASLR (Address Space Layout Randomization), or other security measures. These applications should be updated to use the protections. Here's info on how to make the updates to applications: https://msdn.microsoft.com/lib...

    18. Re:What's a DLL? by Gr8Apes · · Score: 1

      The problem with DLLs are that there are many versions of the same DLL that often need to run at the same time. Which means that you can substitute one version for another, and hijack a program. Nothing new here.

      If only it were as benign as that. You can even inject DLLs into a system process, and then have code executed as that process unless things have changed dramatically in the past 4 years.

      --
      The cesspool just got a check and balance.
    19. Re:What's a DLL? by Archangel+Michael · · Score: 1

      Why implement it ? That sounds like too much work!

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    20. Re:What's a DLL? by Anonymous Coward · · Score: 0

      It's Microsoft's Damaging Logic Loophole. Purposely created to make their products as insecure as possible.

    21. Re:What's a DLL? by Anonymous Coward · · Score: 0

      You aren't a good tech geek if you can't solve issues. That means seeking them out too.

    22. Re:What's a DLL? by mrchaotica · · Score: 1

      That's because it's only a vulnerability in retrospect -- it was intended as a feature.

      (Linux shared libraries -- the fact that every application can use the same copy of, say, GTK instead of having to replicate it -- are the same kind of deal.)

      I haven't read the article, but I suppose the countermeasure is that DLLs should be signed or have hashes checked before loading or something like that.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    23. Re:What's a DLL? by Anonymous Coward · · Score: 0

      Insightful? www.google.com (search DLL and hand in your geek card) and www.merriam-webster.com (someone doesn't have a clue what insightful means)

    24. Re:What's a DLL? by Zontar+The+Mindless · · Score: 1

      You have to know enough about Windows to realise that it should be avoided. In my case, this happened in early 2005.

      --
      Il n'y a pas de Planet B.
    25. Re:What's a DLL? by jones_supa · · Score: 1

      Yeah, that was the crusty joke... although Metro/Modern is called UWP (Universal Windows Platform) these days.

    26. Re:What's a DLL? by Anonymous Coward · · Score: 0

      Wooosh

    27. Re:What's a DLL? by Anonymous Coward · · Score: 0

      So the default behavior of LoadLibrary & LoadLibraryEx is bad (insecure), and the fix is for every application writer to change their code -- why doesn't Microsoft instead change the behavior of the insecure functions instead?

      Wherever possible, specify a fully qualified path when using the LoadLibrary, LoadLibraryEx, CreateProcess, or ShellExecute functions.

      Hardcode paths directly into your application? I'm sure systems running on non-default C:\ break horribly if following these "recommendations".

    28. Re:What's a DLL? by omnichad · · Score: 1

      And I present...WOOSH!

    29. Re:What's a DLL? by Anonymous Coward · · Score: 0

      Uh, specifying a fully qualified path is not the same as hardcoding a path.

      You could get the full path name using GetFullPathName() for example.

    30. Re:What's a DLL? by Anonymous Coward · · Score: 0

      You should know about other things, even if you don't use them, if you're a geek.

      Otherwise, how do you know what, and why, to avoid?

    31. Re:What's a DLL? by ArmoredDragon · · Score: 2

      I would say that Microsoft could improve on desktop applications by giving them their own namespace or user space (a la Android) but instead they now call these "legacy apps" and have the unrealistic expectation that you use universal apps which do have these protections.

      I say unrealistic because universal apps don't have anywhere near the capability set that you can get with "legacy apps", and there's no reason to write new desktop applications anymore because typically the best way to deliver your application to desktop users is through web apps. If a web app can't do what you need to do, then a universal app probably can't either, and indeed can probably only do less things since it has to operate very strictly within Microsoft's walled garden.

    32. Re:What's a DLL? by mikael · · Score: 3, Informative

      Dynamic Link Library or Shared Object. In the early days of UNIX, it was found that the huge amount of space was being used by GUI applications and command line programs statically linked to common libraries like standard IO, sockets, X-windows, GUI's, maths and crypto libraries. Huge amounts of disk space were being used to stored duplicate copies of compiled code. So they figured that it would be more cost effective to dynamically link at run-time instead of a compile-time with the bonus that they could be compiled into relocatable code only loaded into system when needed.

      If you run "ldd" on a program, you will see all the libraries needed for that program.

      By separating the library files from the applications, any bugs or problems could be fixed through a simple upgrade. The downside is that someone can rootkit a system by replacing a DLL used by applications that need system access.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    33. Re:What's a DLL? by Goaway · · Score: 1

      Some people using the site now were probably not even born when "DLL hell" was still something that was actually a problem, rather than just a term that Slashdotters parroted.

    34. Re:What's a DLL? by farble1670 · · Score: 1

      isn't the code for a DLL loaded into a shared location in memory?

      The code in a DLL is usually shared among all the processes that use the DLL

      https://en.wikipedia.org/wiki/...

        so if you copy it to .../MyApp/Foo.dll doesn't that defeat that "feature"? why use a DLL at all at that point?

      sincerely yours,
          not a windows developer

    35. Re:What's a DLL? by Opportunist · · Score: 1

      You may incinerate your geek card. We don't even want it back.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    36. Re:What's a DLL? by deKernel · · Score: 1

      I can see this _IF_ the code already attempts a manual load call to the runtime, but I have never seen a method to force an unintended DLL to be loaded into a process space unless the originating binary is modified.

    37. Re:What's a DLL? by Ol+Olsoc · · Score: 1

      Some people using the site now were probably not even born when "DLL hell" was still something that was actually a problem, rather than just a term that Slashdotters parroted.

      That would mean people who haven't been born yet. Revo uninstaller to the rescue

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    38. Re:What's a DLL? by Penguinisto · · Score: 2

      "Windows Dynamic Linked Library" in this case... not seeing a single mention of Linux or OSX in there.

      (Yes, there are equivalents in Linux and OSX, but no indication of the vuln in shared libs, dylibs, or dynamic shared libs, so...)

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    39. Re:What's a DLL? by Anonymous Coward · · Score: 0

      A true geek knows why he's avoiding Windows...

    40. Re:What's a DLL? by Anonymous Coward · · Score: 0

      Some licenses require that the end users can replace them with their own versions, the Lesser GPL among others. Now a developer could open source his project, provide everything needed to link proprietary object code against a different version of the library or simply include the LGPL code as a DLL. The last is the simplest.

      Further a developer may want to link against one or more DLLs to avoid relinking every function, global variable, etc. his code depends on however indirectly, every time he compiles his executable. Depending on the project that can reduce compile times noticeably.

      Worst case you are at the mercy of some third party and have a black box dependency that only exists as DLL. No way around that.

    41. Re:What's a DLL? by TapeCutter · · Score: 3, Informative

      There is no "bug" with the installers or windows, the machine has been compromised prior to running the software.

      TFA is a "beat up" (likely paid for by Oracle), it does not explain how the attacker is able to put the compromised dll on the machine in the first place. If an attacker can put a random binary on your local drive then they already own your machine. What a random installer subsequently does on a compromised machine is irrelevant to how the machine was hacked.

      Car analogy: If a miscreant cuts your brake line without your knowledge, it is not the manufacturer's fault that the brakes no longer work as advertised. If the manufacturer's can make it more difficult to cut the brake line that's great, but they cannot, and should not, be held accountable for malicious damage caused by someone who had unrestricted access to your brake line.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    42. Re:What's a DLL? by TapeCutter · · Score: 1

      The "problem" here is that the machine was compromised before the installers are executed. Yes, you could make a more secure installer that fingerprints the dlls it uses, but that doesn't solve the root problem. The root problem is a compromised machine.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    43. Re:What's a DLL? by mhotchin · · Score: 4, Informative

      Literally the FIRST hit on Google leads to this:
      https://en.wikipedia.org/wiki/...

      tl;dr - it's not really a problem to force an arbitrary process to load a DLL, *if you are an administrator*. As noted elsewhere though, if you have the power to inject, you already owned the machine, so why bother?

    44. Re:What's a DLL? by TapeCutter · · Score: 3, Interesting

      It's no longer a problem with MS libraries but it can still be a problem with third party dll's, the problem is not that different to having symlinks point to multiple versions of an .so file in unix. In both cases it works when done correctly, but it's easy to get the wires crossed if you're not careful.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    45. Re:What's a DLL? by Teun · · Score: 1

      Woosh muh?

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    46. Re:What's a DLL? by barbariccow · · Score: 1

      on linux and the like, you can use LD_LIBRARY_PATH to change to a different shared object. This is often preferable or required (assuming you can't recompile and change the rpath, like with binary blobs). How is this news?

    47. Re:What's a DLL? by Pseudonym · · Score: 1

      Do you even have a geek card to turn in?

      Teun's geek card has a 5 digit uid, licensed for advanced deadpan sardonic commenting.

      Yours is 4 digit? Damn, you might have to retake your sarcasm detection certification.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
    48. Re:What's a DLL? by deKernel · · Score: 1

      Did you actually read that article? Seriously.

    49. Re:What's a DLL? by Anonymous Coward · · Score: 0

      "DLLs" are a proprietary technology from a single vendor. Would you say the same if tfa was about some shared library technology from Siemens? Of course not because it's impossible to know even cursorily every technology from every vendor. Don't be so fucking smug.

    50. Re:What's a DLL? by Anonymous Coward · · Score: 0

      Some people using the site now were probably not even born when sarcasm

    51. Re:What's a DLL? by Anonymous Coward · · Score: 0

      How the fuck is this modded informative? Michael completely misrepresents the problem. Different programs needing different versions of a DLL is not a problem, and hasn't been a problem for a very long time.

      The problem is when programs load code (whether this code is located in a DLL is irrelevant) from locations where potential attackers have write access and can drop a file containing malicious code. In this particular case, we're talking about software that uses LoadLibrary or equivalent to load one of its DLLs without first restricting LoadLibrary's DLL search location order. For reasons of backwards compatibility (indirectly with Windows 1.0, which came out five years before the first web browser) the current folder / directory is relatively high up the search path, but you can remove it or, if you understand the security implications, move it downward on the list.

      This is a very old and well-known issue, which is even called out in Microsoft's own documentation for LoadLibrary. Any software which is still vulnerable to this in 2016 is written by incompetent morons who shouldn't even be allowed near computers, let alone program them.

    52. Re: What's a DLL? by Anonymous Coward · · Score: 0

      Thank you for the further clarification. *slow clap*

    53. Re:What's a DLL? by Anonymous Coward · · Score: 0

      There's more to it. A common way anti-cheat utilities in games are bypassed is by patching the C/C++ Runtime so that the DLL replacement is disguised. So you can put any kind of anti-anti-patching you want into it, but the only way to prevent this from happening is by statically compiling everything, including the runtime. The GPL makes this impossible.

      This same runtime patching can be done by malware (I haven't seen any in the wild) to bypass any kind of anti-malware detection by making it so AV products are never able to see the malware. All of this can be averted by using 64-bit binaries, statically compiling everything so there are no DLL files, and making sure things like DEP and ASLR are mandatory. I have seen this runtime-patching done to MMORPG's (mostly against Hackshield) starting around 2010. Things have only become more complicated since.

      What I'd like to mention is that the need for "DLL"'s hasn't been a good idea ever since Windows 2000. Originally they were meant to conserve disk space and memory so that only a single invocation of a library is needed, but ever since Windows Vista and the .NET frameworks came along, everyone ends up using their own local copies of the libraries and not the system libraries anymore. Even on Linux this is done because the dependency hell is that much more aggravating if a product requires both binaries and sources compiled to be complete (*cough*nVidia Drivers*cough*)

      Ultimately the best solution is for everyone to not use the GPL/LGPL and instead pick a license where the source must be open but restrictions on binaries allows complete static compilation.

    54. Re:What's a DLL? by KGIII · · Score: 1

      No, I don't use Windows on my computer... No, I am not a shill.

      But...

      At some point, it's time for the programmers to do things the right way and not expect the OS to prevent them from making mistakes. I know it's fun to blame Microsoft when you don't know better or understand the problem but, really, this should not be a problem because the people writing the program are responsible for their DLLs and their usage. I know, I know... That does actually mean that they're accountable and accountability is a scary thing.

      That said, there's likely a legitimate way to use implement it this way. It's probably for legacy support. You know, that thing everyone complains about if they don't do it for their 30 year old application (and sometimes that complaint is justified but Microsoft is not unique in that area)? I'd guess, I've not researched it, that this was for legacy reasons and I'm sure MS would love to force strict adherence to the use of ASLR, for example. Hell, it'd probably make their lives easier. Not to mention, you'd just be bitching if they had - "Why are they taking choice away?!?"

      So, no... No, no, no... Anyone who has seen my posts knows that I hold programmers, of a certain capacity, on a pedestal and that I hold them in high esteem for good reason. However, at some point the responsibilities are with the coder.

      --
      "So long and thanks for all the fish."
    55. Re:What's a DLL? by KGIII · · Score: 2

      Just earlier today, I ran this very command:

      sudo ln -sf /lib/$(arch)-linux-gnu/libudev.so.1 /lib/$(arch)-linux-gnu/libudev.so.0

      I did not read the article but the above command not only was acted on - it had the effect I wanted. I better go file a bug report!

      --
      "So long and thanks for all the fish."
    56. Re:What's a DLL? by Anonymous Coward · · Score: 0

      If you have no understanding of other environments even if only to know enough to avoid them then you aren't a geek, that is what a zealot spouts.

    57. Re:What's a DLL? by Bert64 · · Score: 1

      Well the problem seems to be that Windows will load DLL files from the same directory that the executable is in by default, and this behaviour is retained for backwards compatibility because a lot of programs expect to work this way...
      This is yet another case of a serious design flaw in windows which causes ongoing security problems, and cannot be easily fixed without breaking compatibility and/or extra humps for users or developers to jump through.

      This is exploitable by preloading a user's downloads directory with malicious dll files and then waiting for them to download and execute a binary installer from the same downloads directory. Which brings up other windows flaws, installers are usually executable binaries rather than a data file to be processed by a package manager (yes there is msi but it isn't commonly used)... Plus the fact that users commonly install software this way rather than going through a repository.

      Other systems simply don't work this way... Libraries are never loaded from the current directory by default, applications on unix systems are usually expected to use system versions of libraries rather than bundling their own, and applications on osx are bundled up with their own libs if required. Linux users typically don't download and run arbitrary binaries, instead they select software from their repo.

      This now seems to be another extra hoop that developers must jump through to make windows software, hassle that simply doesn't exist on any other platform.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    58. Re:What's a DLL? by KGIII · · Score: 1

      Or, alternatively, don't let code access your system that you don't want. In other words, keep it locked down. How did the malicious DLL get into that folder, specifically, and was able to be called? And, if they can do that, why not just compromise the system in a hundred other ways instead of some half-assed way that might not work by using a DLL? They've already got access rights to put the DLL there. If they can do that then why do this? Just avoid it, as a programmer, on general principle but it's hardly a bug - it's working as designed.

      Heh, it's not a bug! It's a feature. Seriously though, think about it for a minute. To put the DLL there in the first place they had to have access. How'd they get that access? Yeah, if they could do that then why put a DLL there that may very well not actually do anything - ever? There is, literally, no reason to make it more difficult with less chance of success. They've already owned the box just to put the DLL there.

      --
      "So long and thanks for all the fish."
    59. Re:What's a DLL? by Bert64 · · Score: 1

      Some browsers will auto save files to the designated downloads location, a malicious website can exploit this feature to get a dll into your downloads directory. If you then execute an installer from the same directory then you can be infected.
      Getting a file into your downloads directory is not a compromise as the file has not been executed, and on other platforms the presence of malware in your download directory is harmless unless you actually go out of your way to execute it.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    60. Re:What's a DLL? by Bert64 · · Score: 1

      Or written by people who primarily develop for non windows platforms where this isn't a problem...
      Why should developers on windows have to jump through so many hoops that they don't need to know about on other platforms?

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    61. Re:What's a DLL? by thegarbz · · Score: 1

      "DLLs" are a proprietary technology from a single vendor.

      Yes a proprietary technology from the largest vendor of IT software in the world.
      A proprietary technology which has been around for 20 years.
      A proprietary technology that every programmer bashes their head against at some point in their career.
      A proprietary technology that is taught about at universities.
      A proprietary technology which every computer user in the past 20 years has received at least one error message about.

      did I forget anything?

      Oh yeah of course. A proprietary technology that was deemed a laughing stock, insecure, a library management problem so bad that it coined it's own term for what happens when a computer system goes fully south: "DLL Hell"

      and I'm not even a programmer, I don't even work in IT.

    62. Re:What's a DLL? by Gr8Apes · · Score: 1

      I don't think you quite get the seriousness of the issue. It boils down to if you have access to a windows box where you can create and execute a file on it, you can own the box relatively trivially regardless of your privileges. This is why MS always appears to have whack-a-mole security patches. If you look at the CVEs over time, you'll start to think you're Bill in Groundhog day.

      --
      The cesspool just got a check and balance.
    63. Re:What's a DLL? by Anonymous Coward · · Score: 0

      When you call a platform API (like LoadLibrary) you read the documentation and there's no excuse for not doing so. All platforms are different (Linux has many warts as well; I'm speaking from experience) and you cannot expect to translate Windows code to say Linux or vice-versa by pasting in the names of similar-enough sounding functions. The whole idea is lunacy.
      Again, the developers of these programs shouldn't be allowed near a keyboard.

    64. Re:What's a DLL? by PlusFiveTroll · · Score: 1

      >They've already owned the box just to put the DLL there.

      Not exactly.

      With UAC a prompt occurs to get administrative access, if this occurs at a time when the user does not expect it they may very well say no. Drive by downloads are one particular class of bug that can put a file in downloads, but have no risk of executing the file at that time, yes they are a bug that needs fixed, but one that seems to commonly occur. It is only later when an administrative installer executes that the system can be fully taken over.

    65. Re:What's a DLL? by PlusFiveTroll · · Score: 1

      > If an attacker can put a random binary on your local drive then they already own your machine

      Pretty much no.

      >If a miscreant cuts your brake line without your knowledge,

      Terrible analogy. Because it's not what's occurring here. They don't have unrestricted access to critical systems on your car. It's more like they put a brake line cutting machine in your front seat. It's not until you get into the car and say "Are you sure you want to run the program START CAR with administrative access" that your line can be cut.

      Let's go back to your original idea that the machine is compromised. If I have a virus file in C:\Dont_execute_anything_from_here, is my machine compromised? No, in most cases a file sitting on the drive would not randomly self execute. But, now let's say file "bad_code.exe" was written in such a way it took over program flow from my anti-virus when it was scanned. We would certainly say that the anti-virus vendor was at fault in this case.

    66. Re:What's a DLL? by godefroi · · Score: 1

      Think is, as Raymond would say, you're already on the other side of the hatchway. If you can write arbitrary malicious DLLs in the user's downloads folder, then why not just patch the .exe you find there?

      --
      Karma: Poor (Mostly affected by lame karma-joke sigs)
    67. Re:What's a DLL? by godefroi · · Score: 1

      Uh, if my browser silently downloads (executable!) files without me knowing, yeah, that's a compromise.

      --
      Karma: Poor (Mostly affected by lame karma-joke sigs)
    68. Re:What's a DLL? by xTantrum · · Score: 1

      The obvious question is; what's a DLL?

      ....and this ladies and gentlemen, are the coders we now have on /.

      --
      $action = empty(PHP) ? backToC() : unset(PHP) ; "when the concrete cases are understood, the abstractions are readily
    69. Re:What's a DLL? by goarilla · · Score: 1

      Just but in Windows the LD_LIBRARY_PATH analog always includes the current working directory and application directory and a lot of applications have come to depend on that.
      This (binary planting) is also the reason why everybody on Linux warns you about setting PATH to include CWD, of if you really have to to append it at the back.

    70. Re:What's a DLL? by Anonymous Coward · · Score: 0

      No, that's the default setting, more or less. Chrome doesn't prompt before it starts to download IIRC and the download indicator at the bottom of the windows could easily be missed by the user. Opera hides downloads behind a tiny toolbar button, as does Firefox. But I believe that Firefox still prompts while starting the download itself invisibly in the background.

    71. Re:What's a DLL? by godefroi · · Score: 1

      IE6 was highly exploitable in its default configuration, did that make it simply a feature?

      --
      Karma: Poor (Mostly affected by lame karma-joke sigs)
    72. Re:What's a DLL? by Anonymous Coward · · Score: 0

      and most systems will generate code that will look for libraries in the app directory first then the system directory...

      It's been like this for decades.

      Where's the news here?

      Sure on Windows it might be a bit easier to have some third installer install a lib in some apps directory given that windows apps are more likely to be known as to where installed with not much protection...

      Of course if they want to turn on signing this would break things that WORK by RELYING on said injection, e.g. MGE(Morrowind Graphics Extender and it'
      s successor), things like vorpx, etc. (these intercept directx calls for manipulation MGE improves shaders and general video quality, while vorpx attempts to make non-VR friendly graphics apps/games VR friendly again by intercepting and manipulating directx calls)

      Tempest in a teapot.

    73. Re:What's a DLL? by Anonymous Coward · · Score: 0

      | Hardcode paths directly into your application?

      Bloody stupid idea.
      A(lmost a)ll Windows system DLLs live in %SystemRoot%\System32\. Its path is returned by GetSystemDirectory(). Use this to build the fully qualified path.
      For private DLLs which are installed with your application save the path to its installation directory in the registry. Let your application retrieve it from there and build the fully qualified path.

      If your application is installed in a "secure" (i.e. ACL protected) directory where only administrators can write you can of course use relative paths: your private DLLs will be loaded from \ and the system DLLs from %SystemRoot%\System32\

      If your application is designed to be run from an unsafe directory (like "Downloads" or any other directory in your %USERPROFILE%) you MUST use fully qualified paths.

    74. Re:What's a DLL? by Anonymous Coward · · Score: 0

      Because no browser "patches" .exe found in the "Downloads" directory: browsers either prompt before they overwrite an existing file in the "Downloads" directory or suffix the filename with "()".

    75. Re:What's a DLL? by Anonymous Coward · · Score: 0

      | They've already owned the box just to put the DLL there.

      No. Both Microsoft Edge and Google Chrome silently download files, including .exe and .dll, to their "Downloads" folder.
      Just use in your web page(s).

    76. Re:What's a DLL? by Anonymous Coward · · Score: 0

      | Any software which is still vulnerable to this in 2016 is written by incompetent morons who shouldn't even be allowed near computers, let alone program them.

      AMEN!

  2. DLL Hijacking by Anonymous Coward · · Score: 5, Informative

    There's an informative (and non-PDF) post on Fortinet's blog discussing DLL hijacking. You can use a registry tweak to harden a system against this technique.

  3. Update from TFA by Anonymous Coward · · Score: 1

    "UPDATE: Mr. Kanthak has told Softpedia that "most of the companies/vendors I contacted patched their products." Rapid7 went so far as to withdrew their ScanNow product altogether.

    "Some of the companies/vendors which did not reply to my reports in the first place contacted me after they became aware of the [public disclosure] posts and fixed their installers, or are working on a fix now," Mr. Kanthak also added.

    Additionally, there also some other software products for which Mr. Kanthak has not yet posted a public disclosure post, but to which he reported vulnerabilities, and the companies are now working on a fix."

    1. Re:Update from TFA by Anonymous Coward · · Score: 0

      "UPDATE: Mr. Kanthak has told Softpedia that "most of the companies/vendors I contacted patched their products." Rapid7 went so far as to withdrew their ScanNow product altogether.

      "Some of the companies/vendors which did not reply to my reports in the first place contacted me after they became aware of the [public disclosure] posts and fixed their installers, or are working on a fix now," Mr. Kanthak also added.

      Additionally, there also some other software products for which Mr. Kanthak has not yet posted a public disclosure post, but to which he reported vulnerabilities, and the companies are now working on a fix."

      One has to wonder if Mr. Kanthak did a very good job trying to contact these people properly. After all, he has TrueCrypt listed, good luck getting in touch with the devs or hoping a new version of the installer gets released....

  4. Other side of the airtight hatchway by Anonymous Coward · · Score: 1

    If you have the ability to write a malicious DLL into a folder for the executable, you already have the ability to run administrator level code. Why bother with the DLL?

    cf: Raymond Chen

    1. Re:Other side of the airtight hatchway by tepples · · Score: 2

      I don't know how code signing verification policy works on Windows, but on OS X, Gatekeeper checks only an app's main executable for a signature against an Apple-issued code signing certificate, not other executables in the same folder that it loads.

    2. Re:Other side of the airtight hatchway by Anonymous Coward · · Score: 1

      I could think of a real simple attack vector: Repackaged popular apps. Think... Um... I don't know... XcodeGhost: http://www.cultofmac.com/38970...

      With Apple? A known good product (XCode) was replaced with a "changed" version. That changed version did "bad things".

      Now that you're following along... Put up versions of all the afflicted applications... with 'adjusted' DLLs. What's that? You need my permission to install that program that I just downloaded? Of course you do *clicks accept permission elevation* Bam. Adjusted DLL and you're none the wiser.

    3. Re:Other side of the airtight hatchway by bluefoxlucid · · Score: 4, Informative

      Actually, you only have to insert it into the current working directory. For example: Get a dll file downloaded into Downloads, then wait for the user to run Setup.exe and have UAC hand it admin privileges. Now your non-privileged process has put a DLL file in the Downloads directory *with* Setup.exe, which loaded Downloads\CommDlg32.dll and was granted Administrator access. Now you have admin access.

      Microsoft Word used to do this if you had a DLL file with the same name as a System32 DLL in the same path as a Word document.

      --
      Support my political activism on Patreon.
    4. Re:Other side of the airtight hatchway by pr0fessor · · Score: 3, Insightful

      In this case it would be up to the installer to verify that it is loading a valid library. The problem is if somehow a certain named and versioned dll can be downloaded to the same folder you execute the installer from it can execute arbitrary code when the installer initializes it using the elevated privileges you granted the installer.

      So in order to implement this side-loading you would to first need take advantage of another vulnerability to get that library in the right place.

      In order to protect against this they could simply not include the execution folder in the search path and validate the library in a manner other than just the name and version which can be faked.

      If someone where to try and exploit this chances are they would attempt to run their code in the background while leaving the rest of the library untouched so the installer would complete without tipping off the user. This means something as simple as a file size could validate there wasn't a bunch of extra code present, although there are better methods for validating a library.

       

    5. Re:Other side of the airtight hatchway by The+MAZZTer · · Score: 2

      MSDN is saying, by default, "Safe DLL" loading is used, in which the current directory is only used if loading the DLL from most other locations failed. So this would not be viable any more. It sounds like this problem was identified and fixed long ago. Any attempt to exploit this now would require gaining greater access first, and once you're there there's no point to using DLL hijacking any more.

      https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx

    6. Re:Other side of the airtight hatchway by nmb3000 · · Score: 5, Informative

      If you have the ability to write a malicious DLL into a folder for the executable, you already have the ability to run administrator level code. Why bother with the DLL?

      cf: Raymond Chen

      Exactly. Raymond covered this a few times in the past.

      Using delayload to detect functionality is a security vulnerability
      It rather involved being on the other side of this airtight hatchway: Disabling Safe DLL searching

      If Safe DLL Search Mode is enabled, then the Current Directory isn't searched until after all the system directories are searched. Safe DLL search mode is enabled by default starting with Windows XP with Service Pack 2 (SP2).

      This sounds like a complete non-story.

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
    7. Re:Other side of the airtight hatchway by Anonymous Coward · · Score: 0

      Oh yeah, that's also why I don't trust Windows because I've downloaded a pirated version from an untrustworthy website.

      Only idiots got bit by that version of XCode.

    8. Re:Other side of the airtight hatchway by Anonymous Coward · · Score: 0

      No, it's not a "complete non-story", stop being an apologist for a defect in Windows. Of course it's a story because even with those links you posted the vulnerabilities could still be exploited. Duh.

    9. Re:Other side of the airtight hatchway by pointybits · · Score: 1

      The issue for installers is that "the directory from which the application loaded" is the Downloads directory, not somewhere secure like c:\program files. This directory, which is not necessarily the current directory, is still first in the search order even when Safe DLL Search Mode is enabled.

    10. Re:Other side of the airtight hatchway by Anonymous Coward · · Score: 0

      They could keep the filesize the same by removing functions from the dll that the program doesn't use -- or possibly through advanced techniques like compressing the code, then decompressing it into memory when executed.

    11. Re:Other side of the airtight hatchway by Anonymous Coward · · Score: 0

      | If you have the ability to write a malicious DLL into a folder for the executable, you already have the ability to run administrator level code.

      That's complete and utter bullshit!
      The users "Downloads" folder (more precisely: %USERPROFILE% and below) is writable without administrative privileges.

    12. Re:Other side of the airtight hatchway by Anonymous Coward · · Score: 0

      | I don't know how code signing verification policy works on Windows.

      UAC checks the executables digital signature only, and none its dependencies.
      You can but use SAFER alias software restriction policies (introduced with Windows XP more than 14 years ago) to let the loader check the signatures of DLLs too.

    13. Re:Other side of the airtight hatchway by Anonymous Coward · · Score: 0

      | Actually, you only have to insert it into the current working directory.

      The "Downloads" folder is Setup.exe's "application directory", not its CWD!
      Thus system DLLs like UXTheme.dll or FEClient.dll get loaded from there instead of the "system directory".

  5. Who knew installed binaries are bad?!?!?! by Anonymous Coward · · Score: 0

    Wow. An binary that gets installed on a system can be bad.

    What next?

  6. Ignoring his reports by Anonymous Coward · · Score: 0

    They're ignoring his reports?

    That's probably because they are 1 step away from saying attackers can place "malware.exe" on your system that, when executed, does bad things.

  7. Why is this a flaw in the app, and not the OS? by MSG · · Score: 3, Interesting

    I'm aware of the Windows DLL load behavior, and how it creates "DLL Hell." I never thought of the security implications, because I assumed that Windows behaved more ... sanely.

    The root of the problem is that the affected applications are installers, which need to be run with elevated rights. On Linux systems, for example, when an application is run with escalated rights (through SUID or sudo), the dynamic library loader uses only the system library paths and ignores user specified paths (such as the LD_LIBRARY_PATH environment variable).

    Why the HELL doesn't Windows do the same for apps run as administrator?

    1. Re:Why is this a flaw in the app, and not the OS? by Anonymous Coward · · Score: 0

      Because on Linux the installers are distributed with the OS and on Windows the installers are third-party (and thus version-sensitive) programs.

    2. Re:Why is this a flaw in the app, and not the OS? by Anonymous Coward · · Score: 0

      That's not even what this is about. This is about Office, 7zip and whatever other programs looking in the directory you ran the exe from (if used casually through explorer, that's where the file was that you tried to open) as the second place in their dll hunt path.

      A silly vulnerability, but a stray dll is also suspicious in its own right.

    3. Re:Why is this a flaw in the app, and not the OS? by Anonymous Coward · · Score: 0

      Because packaging dynamic libraries (or versions of them), that aren't provided by the base OS, together with the application, is best practice on Windows. Mind you, in any acceptable system configuration this "attack" would only work for installers and portable applications, or perhaps systems with UAC turned off (which is really dumb). Any directory in the DLL search path for a normal application installed in a normal location is only writable by an (elevated) administrator user. If you can drop a random DLL file into such a folder you've already got administrator rights on the machine, so why make things any more complicated?

    4. Re:Why is this a flaw in the app, and not the OS? by MSG · · Score: 1

      That's not app-specific behavior. That's how the Windows library loader works.

    5. Re:Why is this a flaw in the app, and not the OS? by The+MAZZTer · · Score: 5, Informative

      MSDN documents guidelines for preventing malicious DLL loading. Windows has already cut off "current directory" forms of attacks by changing the DLL load order (called "Safe DLL Search Mode" in that document), and with Vista locking down Program Files for admin-only access, "application directory" attacks are also out unless apps intentionally install themselves elsewhere (then they're on their own). As for installers, users have to get tricked into downloading the DLL first, and at least Chrome gives you a big warning that the file is suspicious due to its extension. And if you can get the user to do that, you might as well just give them an EXE and skip the warning. It's easier to put together a malicious EXE too.

    6. Re:Why is this a flaw in the app, and not the OS? by StormReaver · · Score: 4, Funny

      ...because I assumed that Windows behaved more ... sanely.

      After all these years, why the hell would you think that?

    7. Re:Why is this a flaw in the app, and not the OS? by scdeimos · · Score: 3, Interesting

      Any directory in the DLL search path for a normal application installed in a normal location is only writable by an (elevated) administrator user. If you can drop a random DLL file into such a folder you've already got administrator rights on the machine, so why make things any more complicated?

      You've obviously never heard of ClickOnce then. ClickOnce deployment technology, available since .NET Framework 2.0, allows a signed application and its related DLLs to be downloaded into a folder within the user's own AppData folder structure and executed from there. It doesn't require Administrator rights to do this because it's within the user's own AppData folder structure. Just because an application is signed doesn't make it trustworthy.

    8. Re:Why is this a flaw in the app, and not the OS? by Anonymous Coward · · Score: 0

      This is not about the Windows equivalent to LD_LIBRARY_PATH. It's about the Windows equivalent to /etc/ld.so.conf.

      Windows has two modes for loading DLL's. The old one, and the "safe" one. "Safe" is default from XP SP2.

      Old:
      1. Application directory.
      2. Current directory.
      3. System directories.

      Safe:
      1. Application directory.
      2. System directories.

      While this does get rid of "." in the search path (a *nix best practice since the beginning of time (probably the RTM internet worm)), it still has the application directory, which for installers is the downloads directory. I.e. where modern browser will dump anything that is neither HTML nor images, without even asking.

      To compare, the default ld.so.con contains: /lib /usr/lib

      with /usr/local/lib often added.

      Not only does this not contain ".", it also doesn't contain the application directory (I don't even think that's supported).

  8. In other words... by Anonymous Coward · · Score: 0

    "Program doesn't notice if you WHOLESALE REPLACE EXTERNAL BITS WITH OTHER BITS"

    No shit. Welcome to Windows. For that matter, welcome to EXTERNAL FUCKING LIBRARIES IN GENERAL YOU FUCKING TWAT.

    1. Re:In other words... by Junta · · Score: 1

      I think the complaint is that the LD_LIBRARY_PATH equivalent is doing questionable things given the conventions of the target platform.

      It's hard to say as there's zero details in the article and I don't have time to research what I don't really care about that much.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  9. What about LGPL dynamic linking compliance?! by Anonymous Coward · · Score: 0

    I'm not a lawyer, so if you are and I'm wrong then please, I beg of you a million times, correct me! But from what it is that I understand about LGPL licensed software libraries it is that the LGPL licensed software library must be linked dynamically so that somebody can swap in a modified version if they want. That is what prevents the LGPL licensed software from infecting your maybe non-LGPL licensed software with the infection of LGPL license. So if techniques are used by a non-LGPL licensed software to prevent DLLs which may be LGPL licensed from being swapped out then does that mean that the non-LGPL licensed software is now in severe violation of the terms and conditions of the LGPL licensed software? Is this big danger for people who do not want their non-LGPL licensed software infected by the LGPL? Should they avoid the LGPL libraries and use libraries released under non-totalitarian licenses like the BSD or MIT licenses instead so there are no doubts because no LGPL licensed software is being used at all?

    1. Re:What about LGPL dynamic linking compliance?! by Anonymous Coward · · Score: 0

      The more of these license holy war troll posts I see, the more I tend toward RMS's belief that non-free software is just plain unethical.

    2. Re:What about LGPL dynamic linking compliance?! by sjames · · Score: 2

      It isn't a problem, and the installer need take no special measures. The system's loader restricts the search path for dynamic libraries when it's running with elevated privileges so you don't accidentally run an infected library in some random location (for example, the download directory).

      There are also techniques available to load libraries from a specific path after the program starts rather than at load time. You can use that to choose a specific full path to the exact library you want to load and it still counts as dynamic linking.

  10. DLL Hell by Anonymous Coward · · Score: 0

    They don't call Windows DLL hell for no reason, after all.

  11. There are literally dozens of them... by Anonymous Coward · · Score: 3, Funny

    DOZENS!

    1. Re:There are literally dozens of them... by Anonymous Coward · · Score: 0

      Researcher finds decaproducts of software vulnerable to longstanding bug^H^H^H feature of using DLL files.

  12. How to link statically with LGPL program by tepples · · Score: 1

    An LGPL program can be linked statically to a proprietary program so long as the proprietary program's publisher makes available to its licensees a set of working .o files that can be linked to a new version of the LGPL program.

  13. Is JDBC a fix for this problem? by Anonymous Coward · · Score: 1

    I have asked my Hyderabad team to investigate this problem and they have reported back to me that JDBC is a fix for it.

    Can anyone confirm if JDBC is a fix for this DLL problem?

    How would a Java database connectivity layer fix this if it's a problem with a C++ program interacting with a C++ DLL?

    1. Re:Is JDBC a fix for this problem? by Matheus · · Score: 1

      You should immediately discontinue using this team...

      Token car analogy:
      Q: "There is a problem with the ignition system in my car. Please investigate!"
      A: "Tires will fix your problem! Get Tires!"

    2. Re:Is JDBC a fix for this problem? by Anonymous Coward · · Score: 0

      This must be a joke and if it is, good one. Now, do the needful.

  14. Oh look... by Anonymous Coward · · Score: 0

    Norton is more secure than bitdefender, nod32 and kaspersky... F yall who hate on it for no reason when the others are even worst.

    1. Re:Oh look... by Anonymous Coward · · Score: 0

      Which is funny because Norton is not mentioned as being safe, just omitted from the partial list of vulnerable installer programs given in the article. Whether it appears on a complete list is a mystery.

    2. Re:Oh look... by Anonymous Coward · · Score: 0

      NO anti-virus is secure or can provide appropriate protection, they are all complete crap!

  15. static linking on windows by bytesex · · Score: 0

    Can static linking on windows be done? I mean, Firefox, who cares? But products like truecrypt should be statically compiled, and require no resources from their operating system.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
    1. Re:static linking on windows by s122604 · · Score: 1

      absolutely it can, it's usually just a question of setting the right flags in your IDE.. In these days of laptops with 16 gigs of RAM, it's the way to go for most things.

    2. Re:static linking on windows by grilled-cheese · · Score: 2

      That would make sense but there are two things to consider. First, you may be using a different compiler or even language all together for a dll versus your main application. Second, there are legal implications with OSS licenses when it comes to dynamic versus static linking.

    3. Re:static linking on windows by wonkey_monkey · · Score: 2

      It does leave you permanently vulnerable to any flaws in the particular version of the library you linked against, or such is my understanding. At least with dynamic linking you can blame the user for not keeping up to date!

      I still static link though because whenever I upload something (using a video filtering plugin) at least one person won't have the right runtime installed at all.

      --
      systemd is Roko's Basilisk.
    4. Re:static linking on windows by swb · · Score: 2

      It does leave you permanently vulnerable to any flaws in the particular version of the library you linked against, or such is my understanding.

      The assumption being that anyone (for most definitions of anyone) knows what DLLs their application loads and what the status of their patch levels are.

      I still static link though because whenever I upload something (using a video filtering plugin) at least one person won't have the right runtime installed at all.

      Which IMHO is the main mitigating factor -- what's the actual security risk versus the functional risk of the wrong library breaking the program?

      I don't know if its technically possible, but it would be interesting to use a computer where everything was statically linked to see how much worse resource usage really was.

    5. Re:static linking on windows by Anonymous Coward · · Score: 0

      Which IDE comes with NON-import libs for the Windows systems DLLs?
      THINK before you post!

  16. SetDllDirectory("") by Anonymous Coward · · Score: 0

    The fix is to call SetDllDirectory("") before using LoadLibrary(). The problem is that by default, when using LoadLibrary(), Windows searches the application directory, then the current directory.

    This also only seems to affect DLLs loaded using LoadLibrary(), not those linked in using import libraries.

    More information: https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx

    1. Re:SetDllDirectory("") by The+MAZZTer · · Score: 1

      You have that backwards... the article you linked says it is enabled for all apps by default. Calling SetDllDirectory DISABLES Safe DLL Loading and causes the problem!

    2. Re:SetDllDirectory("") by Anonymous Coward · · Score: 0

      | This also only seems to affect DLLs loaded using LoadLibrary(), not those linked in using import libraries.

      It's the other way round!
      DLLs linked via import libraries (cf. load-time linking) are loaded from the "application directory" unless the DLLs are listed as KnownDLLs (or you change the simple filenames in the executables IMPORT table to fully qualified pathnames).
      For DLLs loaded via LoadLibrary() (cf. runtime linking) the "application directory" can be excluded per call to SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32) before using LoadLibrary() (and of course per entry in KnownDLLs too).

  17. Windows Thing? by Anonymous Coward · · Score: 0

    Someone please tell me this is only a Microsoft Windows thing.

  18. Learning Coding? by BoRegardless · · Score: 1

    Start learning security issues early on!

    Sounds to me after all of Slashdot's articles that many software teams don't have a coding security expert or security team or we wouldn't have all these flaws.

  19. full disclosure... by Anonymous Coward · · Score: 0

    is getting sick of this guy. Effectively identical reports for months and months on end, with no real value to the information. If he wants to name and shame, he should set up a website instead of spamming the hell out of the security lists. Everyone who reads the lists knows about it, if we secure systems we protect against it, so stop bombarding us with this drivel! Congrats on your shameful self promotion, it finally worked.

  20. Brain replacement vulnerability by WaffleMonster · · Score: 1

    More than tens of software products are vulnerable to key loggers installed in keyboard cables. More than tens of software products are vulnerable to compromise when executed from compromised systems.

    Come on people fix your vulnerable software or we will publically slut shame you for your indifference.

  21. Barn door, and all that... by H0p313ss · · Score: 1

    Am I alone in thinking that if malicious code has admin level write access to system disks then you're already fubar?

    The horse is gone! Shut the barn door!

    --
    XML is a known as a key material required to create SMD: Software of Mass Destruction
  22. NO - Please do not post Click Bait headlines by Overzeetop · · Score: 1

    This is slashdot. Unless you are being sarcastic about a click-baity site that we need to laugh at, "Simple Bug" is not a valid replacement for "DLL Hijacking" or, more descriptively, "DLL Side Loading" or "DLL replacement."

    You want to know what will make Slashdot better? Good headlines is a fantastic start. :-)

    --
    Is it just my observation, or are there way too many stupid people in the world?
  23. Zone Alarm? TrueCrypt? by Anonymous Coward · · Score: 0

    Was this "report" published in 2003?

  24. %WINDIR%, %SYSTEM32%, %CSIDL_PROGRAM_FILESX86% by raymorris · · Score: 1

    You would "hard code" using system variables like this:

    %CSIDL_PROGRAM_FILESX86%\Avast\Sanner\foo.dll
    That would end up being "the right place" no matter which drive letter has your Program Files directory. It wouldn't load hacker\foo.dll from any location.

    1. Re:%WINDIR%, %SYSTEM32%, %CSIDL_PROGRAM_FILESX86% by Bert64 · · Score: 1

      In which case, what happens if you want to install your applications somewhere other than the default progra~1 directory?

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  25. Use of language by Daetrin · · Score: 1

    I know this is offtopic, but why the use of the word "tens" in the the summary? Perhaps it's a regional thing (western US here) but the term "dozens" seems much more natural to me. Unless you're talking about the very narrow range of 20-23 items i can't think of a good reason why "tens" would be preferred.

    --
    This Space Intentionally Left Blank
  26. Whatever is downloaded ends up being run as admin by raymorris · · Score: 2

    I'm going to simplify this a bit, but consider you download two things songlist.zip. You extract songlist.zip, which is a data. You don't execute anything in that download. You just extract it to your downloads folder and use notepad to open the resulting songlist.txt. You don't notice that it also included a file called netssl.ddl, which sits in your downloads folder.

    Later, you download mcafee_setup.exe. You run macafee_setup.exe, which needs to run as admin. mcafee_setup.exe makes use of netssl.dll. It could use the hacked version which was part of songlist,zip, running code with full admin privileges that you never intended to run at all.

  27. Update: most vendors updating their installers by Anonymous Coward · · Score: 0

    "UPDATE: Mr. Kanthak has told Softpedia that "most of the companies/vendors I contacted patched their products." Rapid7 went so far as to withdraw their ScanNow product altogether.

    "Some of the companies/vendors which did not reply to my reports in the first place contacted me after they became aware of the [public disclosure] posts and fixed their installers, or are working on a fix now," Mr. Kanthak also added.

    Additionally, there also some other software products for which Mr. Kanthak has not yet posted a public disclosure post, but to which he reported vulnerabilities, and the companies are now working on a fix."

  28. Still depends on user trusting installer by BlueMonk · · Score: 2

    This doesn't seem like a very big vulnerability because it still requires the user to explicitly trust an installer to install executable code. Whether that code is an executable or a DLL that gets loaded into another application, once you've installed malicious software, you're screwed.

  29. Windows vulnerable to DLL hijacking .. by tetraverse · · Score: 0

    Corrected for accuracy. This has been known about for years. Windows will load a DLL from the current search path if it has the same name as a native system DLL. This can't be disabled or it breaks most applications.

  30. installations requiring admin by Khashishi · · Score: 1

    The problem is the practice of requiring admin privileges to install most software. Software should not require admin install unless they really need it. Common frameworks (which are a big user of DLLs) do exacerbate the problem since they often want to be installed in a root location so all the applications can share it.

    A solution is to forbid third parties from bundling installers for common framework runtime binaries. If the framework is needed, then either install the binaries in the application directory or tell the user to go install it themself.

  31. VirtualBox by Anonymous Coward · · Score: 0

    The VirtualBox team is actually really intense about security and hackability.

  32. New Vulnerability! by Anonymous Coward · · Score: 1

    Guys! I discovered a new vulnerability in Windows:

    If you replace an executable with a different executable and then execute it, you actually execute the new executable and not the executable you replaced. Where should I submit my paper for publication?

  33. Why I wrote this as 1 single .exe & no DLL by Anonymous Coward · · Score: 0

    No dependency on 3rd party' libs or bugs: APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

    -

    FREE, not 'souled-out' to advertisers, adds speed, security & reliability.

    Does more w/ less more efficiently vs. addons (clarityray blockable, redundant + RAM/CPU wasteful & 'souled-out' crippled by default) & local DNS servers @ home.

    Fixes DNS' security issues & stops tracking @ webpage + DNS levels via 1 file you NATIVELY have!

    (Firewalls do rest on less used IP address trackers/threats vs. host-domain names).

    -

    Obtains data vs. threats & ads via 10 reputable security community sites - easily edited using my program.

    -

    SPEEDS YOU UP 2 ways:

    Adblocking ALL ads + local RAM cached favorite sites @ TOP of hosts for faster resolution vs. remote DNS (for reliability + speed) vs. other "so-called security 'solutions'" SLOWING YOU!

    -

    All via what you already have vs. illogically "bolting on browser addons 'MOAR'" (clarityray detected/blockable + usermode slow & increased messagepassing, cpu + ram overheads)

    -

    MalwareBytes' hpHosts Admin (MalwareBytes employee verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl...

    &

    MalwareBytes = BEST antivirus per a VERY recent testing of them all http://www.av-test.org/en/news...

    &

    Safe proven by 57 antivirus programs in its 64-bit model https://www.virustotal.com/en/...

    +

    32-bit model https://www.virustotal.com/en/...

    &

    Installer-> http://f.virscan.org/APKHostsF...

    -

    * "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

    APK

    P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

    "The image this title brings to mind is a mighty military commander who can at a mere word summon rank upon rank of protective power" -> https://answers.yahoo.com/ques... & THE WORD = hosts!

    (Accept NO substitutes)

    ...apk

  34. Breaking News by Anonymous Coward · · Score: 0

    If your computer gets compromised, the attacker can fuck with .dll files on your syst..

    oh wait.

  35. I mean, this is a little unfair by cfalcon · · Score: 1

    I like shitting on Windows apps as much as the next guy, but if you can replace a library on the drive, aren't you just going to like... win? Maybe there's more protection on real systems, but it's a binary that gets run with the permissions and privileges of whatever is running it. Can someone explain to me how this is a larger concern, and what was done to patch the security of this?

    It stands to reason that if you can overwrite a dll, you can overwrite a lot of stuff, same as with an .so or something. Is it something where in Windows its easy to overwrite the DLL in the first place?

    1. Re:I mean, this is a little unfair by Anonymous Coward · · Score: 0

      Stephen Kanthak's work is based on creating a malicious file like C:\Program or a number of other file paths. The malicious ones are often executed before the legitimate ones.

  36. Follow the money! by LoTonah · · Score: 1

    That's a lot of name-dropping. Wonder if said researcher asked for a bit of hush money and if you paid up you were taken off the list? Smear campaigns for cash are hardly new.

  37. Re:Whatever is downloaded ends up being run as adm by H0p313ss · · Score: 1

    So as a user you downloaded a suspect binary but it's the OS that's at fault?

    It's certainly true that Windows sucks for this kind of issue, and always has, but there's only so much you can do to protect idiot users from themselves.

    --
    XML is a known as a key material required to create SMD: Software of Mass Destruction
  38. Re:Whatever is downloaded ends up being run as adm by Anonymous Coward · · Score: 0

    The OS is at fault for loading a DLL from the downloads directory, without explicitly being asked to do so.

    Certain other operating systems only look for DLLs (or equivalent) in the system directories /lib and /usr/lib.

  39. Yes, downloading fdisk shouldn't run it by raymorris · · Score: 1

    > So as a user you downloaded a suspect binary but it's the OS that's at fault?

    Yes, it's a security flaw in the OS. I should be able to download fdisk.exe (as an unprivileged user) without the OS running fdisk.exe /wipe c: (as admin). Downloading as a user shouldn't mean executing as admin.

  40. There's a var for "this program's install folder " by raymorris · · Score: 1

    There is a similar variable for "this program's installation directory", I believe. Generally, though, your DLLs should go where DLLs belong. Fighting against the design of the OS tends in increase the risk of a security exposure, in general.

  41. Did you like eating your words omnichad? by Anonymous Coward · · Score: 0

    See subject: How did they taste? http://slashdot.org/comments.p...

    * :)

    (LOL, loser...)

    APK

    P.S.=> If Computer Associates & Thor SCHMUCK were right, then WHY did they have to remove a program of mine as a 'threat' lowering it to ZERO/NO THREAT levels, stupid? apk

  42. Re:There's a var for "this program's install folde by Anonymous Coward · · Score: 0

    Figuring out what belongs where is actually a nightmare on Windows. I've spent several days looking for some official documentation on that topic and came up empty-handed. Also, the ways in which Windows messes with file accesses from programs and redirects them seem to be completely undocumented or documented in extremely obscure places.

    Of course, the next version of Windows changes everything. Again.

  43. Re:There's a var for "this program's install folde by Anonymous Coward · · Score: 0

    It has hardly changed since Windows 2000, though it has been tightened up quite a bit with each new OS version. The only thing missing is a sanctioned shared-writable standard folder hierarchy. Some of the standard folder paths changed as of Windows Vista, but if you're using the sanctioned methods for folder access, then applications properly written for Windows XP will run without folder access problems on later OS versions. Vista also added registry/folder redirection (not the correct terminology, but I'm not going to look it up again), but if you're seeing that, then you were doing it wrong long before Vista was released.

    The information you want and much more can be found in the Windows Logo guidelines. Even if you have no intention of applying for Logo certification, those requirements document what you haven't been able to find.

    - T

  44. Re:It's why I wrote this as 1 single .exe & no by Anonymous Coward · · Score: 0

    can't i just get your hosts file as text? i don't see why i need an executable.