Microsoft tool for DLL vulnerability interferes with some applications

Microsoft's tool to protect against the DLL hijacking vulnerability, which was released last week, results in some programs no longer working properly. Users who want to use the tool to reliably prevent attackers from passing infected libraries to trusted applications should set the new registry key DWORD value to 0xFFFFFFFF ("ffffffff"). This removes the working directory, which could be located on a network share, from Windows' list of locations to search for DLLs.

But this causes problems for programs which use precisely this search behaviour, but which are not, necessarily, vulnerable to DLL hijacking. The most prominent example is the current stable version of Google Chrome. If the registry key is set, the browser fails to find the avutil-50.dll file when the user opens the program or a new tab. If a web page contains an HTML5 video element, the entire web page fails to display. On our Windows 7 test system, open source graphics program GIMP was also no longer able to find its plugins. According to user reports, games service Steam and the Java plugin for Mozilla also encounter difficulties.

Such cases can be resolved by either individually excluding problem applications from using the modified search behaviour or watering down security measures for the problem programs. To do so, a new DWORD registry key called CWDIllegalInDllSearch should be created in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Program Name.exe\ and set to '0'. This causes the application to use Windows' standard list of search locations, but of course makes it once more vulnerable to DLL hijacking.

A reasonable compromise is to set the value to '2' – this causes the working directory to be excluded from the list of search locations only if it is a network directory. This, at least, protects against remote attacks, where the user is redirected to crafted SMB or WebDAV shares. Setting this value to '1' protects against WebDAV-based DLL hijacking attacks only.

Certainly the cleanest solution would be updates for the affected programs, but provision of such has so far been patchy. For example, the VLC and uTorrent development teams have reacted rapidly to the publication of exploits – currently springing up in great profusion – and have protected their applications from DLL hijacking. Users wishing to keep on top of the expected flood of patches may wish to chance a look at Secunia's PSI. The freeware tool accesses a large database of programs and informs users when newer versions of applications installed on their system become available. Exploit Database and Corelan.be both offer lists of vulnerable applications.

According to security expert Tim Brown, some Linux distributions may also be prone to the problem – if the LD_LIBRARY_PATH is not set, applications may load libraries from the user's current working directory. However, according to comments made by Brown to Threatpost, this is not easy to exploit.

(djwm)