| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <FA22BBD37F7A4A26942A4167ACD27A7D@H270> Date: Mon, 22 Sep 2025 16:27:42 +0200 From: Stefan Kanthak via Fulldisclosure <fulldisclosure@...lists.org> To: <fulldisclosure@...lists.org> Cc: Microsoft Security Response Center <secure@...rosoft.com> Subject: [FD] Defense in depth -- the Microsoft way (part 94): BACKDOOR planted in AppLocker Hi @ll, since several years Microsoft installs the DLLs domain_actions.dll and well_known_domains.dll as part of their Edge browser as well as Windows' WebView component into each and every user profile, UNPROTECTED against tampering. On Windows 11 24H2 their paths are currently "%LOCALAPPDATA%\Microsoft\Edge\User Data\Domain Actions\3.0.0.16\domain_actions.dll" "%LOCALAPPDATA%\Microsoft\Edge\User Data\Domain Actions\3.0.0.16\well_known_domains.dll" "%LOCALAPPDATA%\Microsoft\Windows\SharedWebView\EBWebView\Domain Actions\3.0.0.16\domain_actions.dll" "%LOCALAPPDATA%\Microsoft\Windows\SharedWebView\EBWebView\Domain Actions\3.0.0.16\well_known_domains.dll" Security-conscious Windows administrators of course block execution of DLLs in user-writable locations since more than 24 years via SAFER alias Software Restriction Policies, AppLocker or WDAC alias Windows Defender Application Control: see for example "Using Software Restriction Policies to Protect Against Unauthorized Software" <https://technet.microsoft.com/en-us/library/cc507878.aspx> or my own <https://skanthak.hier-im-netz.de/SAFER.html> The release notes for Edge 135.0.3179.11 (Beta) published 2025-03-13 and the release notes for Edge 135.0.3179.54 (Stable) published 2025-04-03 contain the following tell-tale section: | Fixes | * Fixed an issue where AppLocker blocked well-known DLLs such as | well_known_domains.dll and domain_actions.dll. In other words: in March/April 2025 Microsoft planted a BACKDOOR in AppLocker which allows execution of said DLLs, violating the principle to block execution everywhere unless explicit allowed via rule! Remediation: add EXPLICIT deny rules to your AppLocker configuration! stay tuned, and far away from UNTRUSTWORTHY crap Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists