miércoles, 15 de septiembre de 2010

Stay Protected with Windows...Nah!!! Now .DLLS??!!

This is a short list of vulnerabilities you must pay attention to on a daily basis if you intend to keep your Windows system secure (enough):

1. E-mail viruses
2. Internet viruses
3. Macro viruses
4. Rootkits
5. Spyware
6. Ransomware
7. USB viruses
8. Beacons
9. Pdf exploits
10. flash exploits

You have them all covered, you say? Great! Now, what happens if your very system files become part of the problem? Let's say, your .DLL files?

Did you know that your dynamic library files (.Dll), used vastly by Windows OS and windows applications are now being hijacked? Did you know that your Windows system can download unwanted .dlls from sources you did not ask it to? This problem is listed as KB 2269637

Did you know that this problem affects the powerful Windows Seven as well as Vista and XP? However, it affects just a few applications nobody uses, such as:

1. Adobe Dreamweaver
2. Adobe Photoshop
3. Adobe Illustrator
4. Avast!
5. BS Player
6. Camtasia Studio
7. Corel Draw
8. Daemon Tools
9. Google Chrome & Google Earth
10. Intervideo WinDVD
11. iTunes
12. Microsoft Office Powerpoint
13. Microsoft Office Word (with its acclaimed .docx!)
14. Microsoft Virtual PC
15. Microsoft Windows Mail & Live Mail
16. Microsoft Media Encoder
17. Mozilla Firefox (fixed in version 3.5.12 & 3.6.9)
18. Nullsoft Winamp
19. Nvidia Driver
20. Oracle Java

This is by no means a full list. Interestingly enough, open source applications have responded more quickly to fix the vulnerability. Anyway, there is a very simple process to auto-audit your system and find its vulnerable applications. Needless to say, you must first grab a copy--the latest copy--of DLLHijackAuditKit. Then, you must follow a series of simple steps listed on Metasploit, like:

1. Download the DLLHijackAuditKit v2 and extract it into a local directory on the system you would like to test.

2. Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups.

3. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name "Logfile.CSV".

4. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed.

5. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.

What? This is for techies you say? These are the EASY instructions with the newest version of the software! Well, if what you want is a list of applications with the problem, then take a look here, but keep in mind that the list there is not extensive either.

To protect yourself, you can follow the "easy" steps Susan Bradley describes in her article here, for example:

Based on my reading and testing, thus far, simply downloading patches to fix the problem might break some of my critical business applications. If you use the DLL patch process offered by Microsoft in MS Security Advisory 2264107 (more on that below), do so on a separate test PC first and then look for problems with your apps. If you do run into a problem, look for updates for your software and consider disabling WebClient Service, if possible (discussed below).

Security expert HD Moore has two DLL-fix recommends in his blog, but home users may find them difficult to implement.

First, check that your local firewall is preventing outbound Server Message Block (SMB) file processes. To do this, see whether the local firewall lets you block traffic through ports 135 and 445. But be careful: if you have a peer-to-peer home-network environment, you may need these ports.

Another method is to check your DSL- or cable company–supplied router's firewall settings. See whether you can adjust it to specifically block ports 135–139 and port 445. On my Linksys router, the port-filtering section lets me control up to five different ranges of ports.

Moore's second recommendation is to disable the WebClient Service, which will then block the Webdav vulnerability. (WebClient lets Windows apps create, access, and change Web-based files.) But this, too, should be done with caution — it might disable services such as Skydrive and JungleDisk. To turn off WebClient, go into Control Panel, Administrative Tools, and then Services. Scroll toward the bottom and click WebClient. On the WebClient control windows, find Startup type and select Disabled.

Whoa! Did you get it??!!

But don't fear, my friend! Microsoft won't let you fall! You just have to download and apply a patch to your already ragged and fully patched system. Here is the explanation by Microsoft. However, as with everything in life, you must brace yourself and pray that the patch won't break any of your important applications:

If you want to test Microsoft's DLL-blocking solution, go to MS Support article 2264107 and scroll down to the Update Information subsection and find the update for your specific platform. Install it and reboot your computer.

Now you're ready for step two: go to the Fix it for me subsection in article 2264107 and click the Fix it button. Clicking the button automatically creates a Registry entry that blocks "nonsecure DLL loads from WebDAV and SMB locations."

Should one of your applications stop working after the fix, you can try the following tweak to the Registry:

* Click Start and Run, then type in regedit and click OK or hit the Enter key. Scroll down the Registry list to HKEY_LOCAL_MACHINE and expand the tree below it.

* Now, navigate down the tree through SYSTEM, CurrentControlSet, Control, and Session Manager (circled in yellow in Figure 4).

* Click on Session Manager and look for CWDIllegalInDllSearch in the list to the right (also circled in yellow in Figure 4). Double-click it.

* In the Edit DWORD Value window that pops up, change the Value data from 2 to 1 and try again. If you still have problems with an app, change it to 0 and push that vendor to fix their application.

Great! This is a piece of cake! :P

I definitely agree with Joany, a fellow Mepis user who let us know about this situation in the Mepis Forum: How can Windows fanboys still say that Linux is hard?? Does that mean that following all these steps just to check if your system is at risk (which probably is) and then to fix it is actually simple??

Give me a break!

2 comentarios:

  1. As a general rule, there are not any easy fixes for the vulnerabilities of Windows. Windows fanboys believe that patches or third-party software are the solution but you keep bloating your computer up.

  2. If a person pays for a bodyguard and then gets heavily punched while the bodyguard is at work, the person wouldn't be happy and fire him right away. It seems that the situation is different with Operating Systems: the ones that don't do their job receive good money and promotions.