| Mircosoft WebDAV patch out!!! Technet Blog for 'More information about the DLL Preloading remote attack vector' WebDAV patch is out!!!
( »blogs.technet.com/b/srd/ )
KB for this patch & links for download :
( »support.microsoft.com/kb/2264107 ) |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | here we go again. Out for everyone except us XP SP2 users. I am still not putting SP3 on here. |
|
1 edit | said by Mele20:here we go again. Out for everyone except us XP SP2 users. I am still not putting SP3 on here. Or Windows 2000 or 98SE or 98 or 95...
If you are unwilling to install SP3 on XP or upgrade to an OS designed in this millenium, then you get what you get.
"Unsupported" and "End of Life" are not confusing or ambiguous terms. |
|
|
|
| reply to Mele20
I can't get the xp sp3 download to work |
|
| reply to Anon users
I took a look at the Win2003 download, and it looks like it's a brand new "ntdll.dll" that's contains the new functionality. |
|
 CabalPremium
join:2007-01-21
Austin, TX
 ·Suddenlink
| reply to Mele20
said by Mele20:here we go again. Out for everyone except us XP SP2 users. I am still not putting SP3 on here. That's okay, you wouldn't want your 5 year-old Firefox 1.5 to feel left behind.
--
If you can't open it, you don't own it. |
|
| reply to Anon users
Got the files for XP-sp3 (32 bit)
Showing two files:
NTDLL.DLL
mrxdav.sys |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Cabal
Yes, but my default Opera 10.61 may feel too advanced so it feels left out also! Can't win.   |
|
| reply to Anon users
Thx Anon Users (and Frodo in the other thread) for posting.
The patch seems fuzzy and conditional depending on the scenario though. For those lacking access to the patch, from this thread,
»Code-Execution Bug in Windows and HUNDREDS of Apps
block outbound activity on ports 139 and 445 (with your firewall) and disable WebDAV client service. I would extend that to include ports 135, 137, and 138. If any apps break, create exception rules as necessary.
And disable shares unless needed (per the Snowman's remarks in the aforementioned thread). As of current disclosure of the vulnerability, this should prevent the exploit.
Funny how 10 years ago, these were the first ports to get block rules in BlackIce.
Hope this helps those worried about not having access to the patch. |
|
| reply to Frodo
said by Frodo:I can't get the xp sp3 download to work I got the link to work with firefox but had to use a small validation tool and input the code given then after I was redirected to the download. |
|
SUMwarePremium
join:2002-05-21
kudos:2
4 edits | reply to Anon users
This does not solve the problem and is not a true patch. It is only a registry update.
If you read the OP's links here's what is really said:
said by Microsoft :
Today we released Security Advisory 2269637 notifying customers of a remote attack vector to a class of vulnerabilities affecting applications that load DLL’s in an insecure manner. The root cause of this issue has been understood by developers for some time. However, last week researchers published a remote attack vector for these issues, whereas in the past, these issues were generally considered to be local and relatively low impact.
For the sake of this issue, its sufficient to say that if an attacker can cause an application to LoadLibrary() while the application’s current directory is set to an attacker-controlled directory, the application will run the attacker's code.
The most likely exploit scenario involves an attacker convincing the victim to open a file hosted on an attacker-controlled SMB or WebDAV share. The file itself would not necessarily be malicious or malformed. The key is that the file is loaded from a location where an attacker can also place a malicious DLL with the same name as a DLL the vulnerable application loads.
This update introduces a new registry key CWDIllegalInDllSearch that allows users to control the DLL search path algorithm. The DLL search path algorithm is used by the LoadLibrary API and the LoadLibraryEx API when DLLs are loaded without specifying a fully qualified path.
The newly introduced CWDIllegalInDllSearch registry key enables computer administrators to modify the behavior of the DLL search path algorithm that is used by LoadLibrary and by LoadLibraryEx. This registry key could allow certain kinds of directories to be skipped.
Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.
|
|
1 edit | said by SUMware:This does not solve the problem and is not a true patch. It is only a registry update. Actually, it is a patch. Two files, previously mentioned on XP-SP3. It isn't a registry update. The patch permits the user to manually add the registry update.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Just tested it on an app and it seems to work. I "stole" the dll from the app and put it in the current working directory. App started. Added the DWORD CWDIllegalInDllSearch value to the Session Manager key and set the value to 0xFFFFFFFF. App doesn't work. Change value to 0 and app again works. Changing value back to 0xFFFFFFFF and leaving it, app doesn't work.
I don't know what the driver does for WEBDAV. I've always had that service disabled.
--Edit: If user doesn't add the registry value, in my opinion, nothing will happen. In my opinion, you will not be protected. |
|
SUMwarePremium
join:2002-05-21
kudos:2
3 edits | said by Frodo:The patch permits the user to manually add the registry update. Call it as you wish.  But as MS says - the core issues cannot be solved via Windows OS solution. |
|
| said by SUMware:Call it as you wish. But as MS says - the core issues cannot be solved via Windows OS solution. But they did do something. With the strictest setting, the current working directory is out of the picture. I like that. We'll see what hacks are available to deal with that. |
|
SUMwarePremium
join:2002-05-21
kudos:2 | said by Frodo:said by SUMware:Call it as you wish. But as MS says - the core issues cannot be solved via Windows OS solution. But they did do something. "Something" is correct. Better than nothing. |
|
| said by SUMware:"Something" is correct. Better than nothing. All of the exploits seem to deal with changing the current working directory to a remote share, either through Webdav or traditional Windows Netbios. Hence the call to restrict outbound port 139 and 445 connections and shut off Webdav.
Now, if they change the working directory, so what? I just put a needed dll in the CWD and the app doesn't start.
I think it's a lot better than nothing. But it is up to the user to load the patch, and then manually add the registry settings.
They said two places:
# To use this registry key for all the applications on a computer:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
# To use this registry key for a specified application on a computer:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
I've only screwed around with the global setting so far, which is the Session Manager value. They didn't specify, but DWORD seems to be the type for the value. |
|
SUMwarePremium
join:2002-05-21
kudos:2 | said by Frodo:But it is up to the user to load the patch, and then manually add the registry settings. A number of members reading this thread will do that. But the average unaware Microsoft user? |
|
| said by SUMware:A number of members reading this thread will do that. But the average unaware Microsoft user? Well, it's described as a hotfix for system administrators. My company, for instance, with 1000s of workstations could use this fix.
They'll have to figure out how to deal with end users later on. I'm just glad they came out with something fast. |
|
SUMwarePremium
join:2002-05-21
kudos:2 | Will this be available via 'Microsoft Update'? |
|
 ABPremium
join:2006-04-04
Leesburg, VA
kudos:3
 ·Verizon Online DSL
| reply to SUMware
said by SUMware:But the average unaware Microsoft user? The average unaware Microsoft home user is likely not networked into an attacker-controlled SMB or WebDAV share:
said by the blog posting :
The most likely exploit scenario involves an attacker convincing the victim to open a file hosted on an attacker-controlled SMB or WebDAV share.
. . An attack cannot be automatically launched through email or web browsing attack vectors . . . . As far as corporate users:
If a perimeter firewall prevents a system from making outbound SMB or WebDAV connections to attacker-controlled locations, this issue poses little risk. FWIW. |
|
