lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 27 Aug 2010 10:13:21 -0400
From: Dan Kaminsky <dan@...para.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DLL hijacking with Autorun on a USB drive

On Fri, Aug 27, 2010 at 9:10 AM, <Valdis.Kletnieks@...edu> wrote:

> On Fri, 27 Aug 2010 07:20:22 EDT, Larry Seltzer said:
>
> > Why wouldn't eliminating the CWD from the DLL search order fix the
> problem?
> > I asked Microsoft about this (
> >
> http://blogs.pcmag.com/securitywatch/2010/08/list_of_dll_vulnerability_wind.php
> )
> > and they said the obvious answer, that it would break too many customer
> > installations. And I guess it would break a bunch of them, but there
> really
> > isn't a good reason for anyone to load a DLL from the CWD, is there?
>
> The mentality that "Our program only works with version 1.14 of the DLL so
> we'll ship a copy of it in the directory" is too entrenched.  That's why
> you'll
> see a box that has 4 or 5 different copies of the Java RTE on it.  Of
> course,
> on a *sane* system you'd use a variable like LD_LIBRARY_PATH to say where
> to
> find the libraries (and maybe apply some W^X exclusion to path components).
> But there's just too many 3rd party packages that would have to be updated
> to
> make it palatable.
>

As opposed to other platforms that, what, don't have 3rd party packages?  :)


>
> Remember - Microsoft doesn't have any real committment to deliver a truly
> secure system to you. It has a committment to deliver just enough security
> and other features so it can deliver dollars to its shareholders.  We all
> *know*
> what it would take to secure it - and it won't happen because the resulting
> paradidm shits will torpedo sales.
>

Oh, come on.  MS puts more effort into delivering a secure platform than
pretty much anyone at this point.  They're just not the low hanging fruit
they once were.

The difference between attack and defense is that we know when attack
doesn't work.  Unrolling this one characteristic pretty much yields security
as it stands today.  It's why attack research is so important -- it's our
only source of ground truth!

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ