Re: DLL hijacking with Autorun on a USB drive

[Valdis.Kletnieks () vt edu]

On Fri, 27 Aug 2010 07:20:22 EDT, Larry Seltzer said:

> Why wouldn't eliminating the CWD from the DLL search order fix the problem?
> I asked Microsoft about this (
> http://blogs.pcmag.com/securitywatch/2010/08/list_of_dll_vulnerability_wind.php)
> and they said the obvious answer, that it would break too many customer
> installations. And I guess it would break a bunch of them, but there really
> isn't a good reason for anyone to load a DLL from the CWD, is there?

The mentality that "Our program only works with version 1.14 of the DLL so
we'll ship a copy of it in the directory" is too entrenched.  That's why you'll
see a box that has 4 or 5 different copies of the Java RTE on it.  Of course,
on a *sane* system you'd use a variable like LD_LIBRARY_PATH to say where to
find the libraries (and maybe apply some W^X exclusion to path components).
But there's just too many 3rd party packages that would have to be updated to
make it palatable.

Remember - Microsoft doesn't have any real committment to deliver a truly
secure system to you. It has a committment to deliver just enough security
and other features so it can deliver dollars to its shareholders.  We all *know*
what it would take to secure it - and it won't happen because the resulting
paradidm shits will torpedo sales.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/