lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <62296.1282914621@localhost>
Date: Fri, 27 Aug 2010 09:10:21 -0400
From: Valdis.Kletnieks@...edu
To: Larry Seltzer <larry@...ryseltzer.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DLL hijacking with Autorun on a USB drive

On Fri, 27 Aug 2010 07:20:22 EDT, Larry Seltzer said:

> Why wouldn't eliminating the CWD from the DLL search order fix the problem?
> I asked Microsoft about this (
> http://blogs.pcmag.com/securitywatch/2010/08/list_of_dll_vulnerability_wind.php)
> and they said the obvious answer, that it would break too many customer
> installations. And I guess it would break a bunch of them, but there really
> isn't a good reason for anyone to load a DLL from the CWD, is there?

The mentality that "Our program only works with version 1.14 of the DLL so
we'll ship a copy of it in the directory" is too entrenched.  That's why you'll
see a box that has 4 or 5 different copies of the Java RTE on it.  Of course,
on a *sane* system you'd use a variable like LD_LIBRARY_PATH to say where to
find the libraries (and maybe apply some W^X exclusion to path components).
But there's just too many 3rd party packages that would have to be updated to
make it palatable.

Remember - Microsoft doesn't have any real committment to deliver a truly
secure system to you. It has a committment to deliver just enough security
and other features so it can deliver dollars to its shareholders.  We all *know*
what it would take to secure it - and it won't happen because the resulting
paradidm shits will torpedo sales.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ