Protection From DLL Vulnerability with WinPatrol PLUS

The day after Microsoft released Security Advisory 2269637 (relating to a remote attack vector to a class of vulnerabilities affecting applications that load DLL’s in an insecure manner), the first exploits were released. These exploits were identified as targeting programs including Firefox, uTorrent BitTorrent client, and Microsoft PowerPoint. As reported by Peter Van Eeckhoutte in DLL Hijacking (KB 2269637) – the unofficial list, the list is much longer now and includes many well known applications.

The MSRC Blog reported that Microsoft conducting investigations into how this vector may affect Microsoft products. In addition, Microsoft released KB Article 2264107, which includes a new CWDIllegalInDllSearch registry entry to control the DLL search path algorithm:

"The update allows the administrator to define the following on a system-wide or a per-application basis:

• Remove the current working directory from the library search path.
• Prevent an application from loading a library from a WebDAV location.
• Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location."

That may be fine for IT Professionals, but what about home computer users? If, like me, you use WinPatrol PLUS, you have at your fingertips a simple method of adding protection from the DLL (CWDIllegalInDllSearch) vulnerability. Bill Pytlovany added the entries to include in WinPatrol Registry Monitoring Scripts . With this simple entry, WinPatrol will notify you if anyone tries to create and change this value from a non-zero value.

Edit Note: The instructions have been updated to change the following question by ky331 and response by Bill Pytlovany after his discussions with some folks at Microsoft. (See the Comments below.)

The steps are simple. Start by launching WinPatrol, select the "Registry Monitoring" tab and click Add:


As illustrated in the simple steps below, a new window will open to add the item to be monitored.

Registry Key: In the Registry Key selection drop-down, make sure HKEY_LOCAL_MACHINE is selected.

Type or copy/paste the following in the space provided under Registry Key:
SYSTEM\CurrentControlSet\Control\Session Manager

Name: In the Name space, type or copy/paste CWDIllegalInDllSearch

Value: In the space for Value, type 1 (the number one).

Value Type: In the drop-down box, select REG_DWORD

Click the Add button.

The results:


It is that simple with WinPatrol PLUS! Unemployed and unable to afford a license? Be sure to check out WinPatrol Supports Unemployed Job Seekers.




References:

• BillP Studios: WinPatrol Registry Monitoring Scripts
• DLL Hijacking (KB 2269637) – the unofficial list (Peter Van Eeckhoutte)
  
• KB 2264107: A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm
  
• ISC SANS: DLL hijacking vulnerabilities
• Firefox, uTorrent, and PowerPoint hit by Windows DLL bug
• Knowledge Base article 2264107
• MSRC Blog: Microsoft Security Advisory 2269637 Released
• SR&D Blog: More information about the DLL Preloading remote attack vector
• TechNet: Security Advisory 2269637

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, WinPatrol, Information, Advisory, Vulnerabilities, How-to, WinPatrol,

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...