14 DAY TRIAL //
Microsoft has updated the resources made available to Windows customers to help them protect their machines against attacks exploiting DLL preloading vulnerabilities remotely.
In this regard, the Redmond company refreshed the KB 2264107 (A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm), adding a Fix It solution designed to automatically install the registry entry capable of blocking nonsecure DLL from loading from WebDAV and SMB locations.
Security Advisory 2269637 was released the past week offering users information and mitigations against attacks which followed the public disclosure of a remote attack vector to a class of security flaws impacting applications dealing with dynamic-link libraries (DLL’s) insecurely.
KB 2264107 offered an update for a variety of Windows operating systems, however, following the integration of the refresh, customers still needed to configure their systems manually.
Now, with the availability of the Fix It solution, this is no longer necessary.
“With the advisory, we released a tool to help customers protect their systems (see KB 2264107),” revealed Jerry Bryant, Group Manager, Response Communications.
“This tool provides a framework for customers to modify the behavior of the DLL search path algorithm and essentially block unsafe DLL loading. When installed, this tool still needs to be configured in order to block malicious behavior, and customers have asked us for our recommended setting."
“As a result, our Security Research & Defense team has written a detailed blog post on this topic and has worked with our Microsoft Fix-it team to develop a Fix-it to enable our recommended setting which blocks most network-based attack vectors. (Please note that the tool needs to be installed prior to enabling the Fix-it.)”
Essentially, what customers need to do is first download and install KB 2264107. Users will find the necessary links at the bottom of this article, and they need to grab the update best suited to their operating system.
Only after KB 2264107 is in place, should customers run the Fix It solution. “By default, protection is disabled when you install update 2264107. Then, the protection can be configured manually (…), or you can run the fix it. When you run the fix it, protection is enabled to protect against remote, nonsecure DLL loads,” Microsoft stated.
The Redmond company is currently working to add the tool to the Windows Update catalog, a move designed to make it easier for business users leveraging Windows Server Update Services to deploy it.
“I want to be clear that Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers. This will primarily be in the form of security updates or defense-in-depth updates,” Bryant noted.
“Also, due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as important.”
Download links for KB 2264107:
Update for Windows XP Update for Windows XP x64 Edition
Update for Windows Server 2003
Update for Windows Server 2003 x64 Edition
Update for Windows Server 2003 for Itanium-based Systems
Update for Windows Vista for x64-based Systems
Update for Windows Server 2008
Update for Windows Server 2008 x64 Edition
Update for Windows Server 2008 for Itanium-based Systems
Update for Windows 7 for x64-based Systems