A week has passed since Microsoft published security advisory KB2269637 that details the technology underlying the DLL hijacking vulnerabilities. Since then security researchers have looked at Windows applications from 3rd parties and from Microsoft itself and have identified many vulnerable programs Last week HD Moore from Rapid7 published an even better version of his DLL Hijacking finding tool that is in use by many of the researchers. Microsoft gave a very illustrative example on how a vulnerable application could be attacked on their SRD blog just this week.
We recommend installing the Microsoft Hotfix downloadable from KB2264107 and creating the CWDIllegalInDllSearch registry key, which instructs Windows to exclude the current working directory from the DLL loadpath when an application is started from network or WebDAV locations. In addition IT admins should keep an eye on the excellent list on vulnerable applications and their fix status that is being maintained by Secunia.
In Qualysguard we have introduced 2 new QIDs that are designed to help the IT admin to manage the installation of this Hotfix:
- QID 118423 – Microsoft Windows DLL Search Order Design Error Vulnerability (KB2269637)
This detection indicates that the machine does not have the Hotfix installed
- QID 90634 – Hotfix KB2264107 (DLL hijacking) is Installed
This detection indicates that the machine has the Hotfix installed and will contain the setting for registry key CWDIllegalInDllSearch in the result section