Avoiding DLL Hijacks

Topic

New Reply

I’ve come up with two common-sense ideas for avoiding DLL Hijack attacks. Nothing high-tech or fancy. No Registry changes that may break other apps. J
[See the full post at: Avoiding DLL Hijacks]

Reply | Quote

Replies

Woody,

Great tips that everyone can easily do! Thanks for posting this.

Your article also mentions that corporates have their firewall set to avoid most WebDAV and SMB problems. I’m not clear whether home users are likely to run into WebDAV and SMB.

Should we be using the non-registry changes suggested by Microsoft (to disable the WebClient service and block ports 139 and 445?

Or is this WebDav and SMB stuff unlikely to apply to a home user?

Thanks again for your good advice
Randall

Reply | Quote

@Randall –

Most home users and small business users won’t run into WebDAV or SMB.

Reply | Quote

I sometimes download Zipped Folders for running non-installed applications on my computers. Does the mere act of Extracting All from a Zipped Folder risk running a rogue DLL? Or can I Extract All, then identify the pest and zap it before it can do any harm?

Of course, if I EVER find an infected file in a Zipped archive being offered as a non-installed Application, I would be inclined to stop doing business with the offending web site or author.

Reply | Quote

@RC –

Unzipping won’t do it, except in a weird way. I see that IZARC is listed as a program susceptible to DLL Hijacking, with the automatically called program ztv7z.dll. (See http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/ )

This gets complicated, but if you have IZARC set up as your default ZIP handler, and you have a ZIP file sitting in the same folder as a jiggered ztv7z.dll file, when you double-click on the ZIP file, your machine runs the bogus ztv7z.dll program.

So in that (rare) instance, yes, unzipping a file can run a bad program.

Reply | Quote

I find on the list (which is hardly complete) most troubling the listing for NVidia Drivers. That could lead to a hardware or firmware infection. Very troubling.

Also, Avast is probably not the only security product which has a vulnerability, but I don’t like seeing it there either.

Notably, VLC Player has recently been patched to eliminate this vulnerability. Good on VideoLAN for that one!

Reply | Quote

Microsoft has released the KB2264107 patches that may deal with the DLL Hijacking problem:
http://support.microsoft.com/kb/2264107

the 2264107 updates will be published at the Windows Update site on Tuesday Sept. 28.

Reply | Quote