DLL Threat Touted in Windows Secrets EMail

[BobH]

In an email I received today, there is an article titled "A threat to common ".dll" files hits many apps" by Susan Bradley. I'm sorry, but the email did not contain a link to a site where this article is published. Because it is likely protected under intellectual property rights, I'm reluctant to copy and post the article here for fear of reprisals against me, or - even worse - Eileen's Lounge.

The article reports threats found arising from the ubiquitous .dll files. It goes on to propose downloading and running a couple of tools to evaluate the threat on one's own system(s). I downloaded the two apps (Microsoft's Process Explorer and Metasploit's DLLHijackAuditKit) and attempted to follow the further instructions. I was unsuccessful because the Metasploit DLLHijackAuditKit app attempted to download a file with a trojan profile which Avast properly blocked and quarantined.

I then followed links to comments on the email article (Windows Secrets Lounge Page) and became even more confused.

Before I try to suss this out and maybe create irrecoverable havoc in the process, I seek discussion and clarification from you folks. Surely this is not a case of "Chicken Little" is it? And if it is not, surely there must be a better way to assess one's exposure than to disable AV software and run trojans!!

Please? Anyone?

[HansV]

The threat is real, but there is no reason for panic. According to Microsoft Security Advisory (2269637): Insecure Library Loading Could Allow Remote Code Execution:

• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend alternate methods to load libraries that are safe against these attacks.

• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.

So it's unlikely that you'll be affected if you surf cautiously.

There is a fix available now, but I'd wait until the next round of Microsoft updates; the fix will undoubtedly be included in those.

[BobH]

Thanks, Hans!

Now another question. Was my reluctance to post the content of the email message appropriate from the Lounge perspective? I was being extra cautious to avoid problems here; but after re-reading the email I could find no notice of proprietary interest or prohibition about using it elsewhere. Because it was sent as email, one might argue that forwarding is a presumptive use of the material and therefore cannot be protected.

I raise the subject for guidance in future actions and to give the issue broader exposure for fellow lounge members. Would this be an appropriate sticky on Lounge Matters?

[Argus]

I'm not an Administrator here, and I'm not Hans, but just a general observation:
In this example it's possible to read the whole article at WS, so if one finds it necessary for the discussion one could link to that place. There's a link to the article at the page you mentioned ("I then followed links to comments on the email article").
Many times it's also possible to discuss a matter using only the public information mentioned in an article, if the article itself isn't public, such as different security advisories, or other sources.

[BobH]

Thanks, Argus!

I didn't find the link to a public forum. That's the reason I didn't post one. I should have looked a bit harder I guess.

I still wonder if sharing an email without claims of proprietary information and without stated prohibitions against sharing it would be appropriate (legal, 'safe', . . . )

[Leif]

....but after re-reading the email I could find no notice of proprietary interest or prohibition about using it elsewhere.

At the very bottom, I think you will find a line stating:

"Copyright © 2010 by WindowsSecrets.com. All rights reserved"

which to my mind means you need to check the small print at WindowsSecrets.com to find out what you can and cannot do. Referring to the rules at Rules » Windows Secrets Lounge - which I cannot believe does not tie in with all WS content - is Rule 5:

"All our graphics, text, and other content is protected by copyright, trademark, and other law. You may not use our graphics, text, or other content without our prior written permission."

In other words, I think what you did was entirely appropriate!

[PaulB]

The Windows Secrets newsletter comes in two versions: Paid subscription and 'Free'. The former former contains more articles than the free version. It also contains the following caveat:

Capture.PNG

The article you refer to is in the 'free' section of the newsletter and you can use the hyperlink they provide to link to it.

[BobH]

Thanks, PaulB.

I'm gonna guess that everyone interested has tracked down the article on the .dll exposure by now.