New .lnk type vulnerability

I'm no expert, but I have a sneeking feeling that Sandboxie benifits a lot from relative obscurity. If everyone were using Sandboxie with drop my rights, then it would be interesting.

 

Point taken, but what security program CAN'T have that said about it? Virtualization apps, HIPs, all of those, if used widely, would gain the attention of malware authors. HIPs programs are just as dangerous when they are improperly configured as they are with vulnerabilities though. Nothing is foolproof, but I think the easier a security app is to use effectively, the safer everyone will be. And, you can't get much simpler than virtualization. When used right, Sandboxie and others are the perfect LUA/SRP, without the hassles that go along with those. I'm getting off-topic though, I just think that a program like Sandboxie is perfect for these major situations we have been seeing lately.

 

I know nothing about Sandboxie except that every exploit in the wild I've asked Pete to test has failed.

That excuse is one of many on a long list of the usual excuses, but doesn't take anything away from the premise that security measures do exist to prevent the types of infections that plague the corporate/institutional systems, *if* the will to implement them is there.

But I will address your statement with one example.

At the college where I used to work, Deep Freeze was installed campus wide. If a faculty member needed a new program installed in a classroom computer, it was checked/approved by the support staff and installed within a short time. Normally, faculty would submit requests during the summer prior to the new term, and everything was in place beforehand.

It's not difficult to setup/maintain such a support system if good planning takes place.

----
rich

 

That works if you're sandboxing the vulnerable program. If so, then another issue is whether any data was stolen while sandboxed.

 

Which is where restricting what can run and access the internet comes in. If a keylogger can't execute in the sandbox, it can't steal anything. If it can't access the internet, it can't send the data anywhere even if it did run. Also, simply blocking access to personal files/folders in the sandbox settings also keeps data from going anywhere. That's the great thing about the program, it's a virtual app, anti-executable and SRP (basically), all in one easy to use, and, just as important, easy to understand program.

 

Unconvinced if Sandboxie can contain POC/exploit which calls up potentially malicious dll such as the one taking advantage of this vulnerability in question, see this... xttp://ssj100.fullsubject.com/security-f7/dll-exploit-testing-t257.htm
(Check how other anti-malware mechanisms succeed or fail against this POC-exploit)

Now, of course, Sandboxie can't stop browser-side malicious javascript redirects or attacks of the phising nature just like any pro-active measure like the use of AE, SRP, Applocker or HIPS.

Sandboxie as dw426 described is like a 3 in 1 Powerhouse in an easy to use and easy to understand tiny application.

Isn't it right, SSJ100, Franklin and Peter2150?

 

I agree!

Classroom computers are different than personal computers. Classroon computers can be managed well in advance; personal computers may need to have random software installed within the day.

 

By SSJ's own results, the threat is contained. That isn't to say that eventually there won't be a morphed threat that won't be contained. I'm just saying for now, Sandboxie users are safe. Contained, in this instance=protection in my eyes. Yes, it's running, but it won't be for long...if you're paying attention and delete the sandbox it resides in. Even in Sandboxie an effort has to be made by the user, you can't just blissfully go along leaving the sandbox as is. No, Sandboxie can't do a thing about malicious scripts, but something like NoScript can, and white-listing scripts can. There is an issue with whitelisting scripts though, in every mainstream browser I've come across, scripting is either a "fully on or fully off" choice. That's dangerous, and browser devs should do better.

As far as phishing attacks, no, Sandboxie can't deal with that either. Phishing, for the most part, falls under social engineering, which, normally, counts on a stupid and/or inattentive user. There is no security that can protect against stupidity. There are, however some measures against it, such as a different DNS service and the phishing filters in the browser. Sandboxie isn't ever going to be the end all, be all of security, but, properly configured and maintained, it comes damn close.

 

I agree with everything you just said. I did only focus on the web, so to speak, like browsing and e-mail (web-mail service), and that by just deploying something like what I previously mentioned, I'd say that 98% of infection vectors are killed right away. For example, any e-mail I receive can come with millions of hidden links hoping for I to click on them, so be it, my browser won't connect to any domain but the already strictly allowed.

But, as you well said, there's still an open door: Documents that users must open for whatever reason.
The same doesn't mean to blindly open them, and tools like Sandboxie is just a great example of what can be used to safely view such documents. Even in the remote chance of a vulnerability in a recent version of Sandboxie that we're unaware of (They will always exist, it's just a matter of getting to know what it is, actually.), something could be done even further, like making use of Sandboxie or similiar inside a virtual machine, for example. It would have to be a tremendous coincidence for a security bug to simultaneously exist in both Sandboxie and Virtual Machine application that could allow an attack.

I mean, the means are out there, as you well say. Unfortunately, not everyone knows them, nor do they know anyone who knows them. Then, we have those who are aware, but simply don't care, because, so far, nothing bad happened, yet.

 

Of course, some form of effort and diligence is needed. Anyways, thanks for the inputs. I understand Sandboxie users are of the savvy type and have long known both limitations and advantages.

And no one in his right mind would claim that Sandboxie is the panacea and so the importance of layered security defences.

And sleep well, there is no malware yet in the wild able to bypass Sandboxie's containment security wise(i.e. write beyond the sandbox). Franklin have tested (?)gigabytes of malwares on sandboxie and nothing pass through it. There are some POCs said to bypass Sandboxie but these are just minor annoyances.

Btw, I use NoScript also.

------
edit:

Going back on topic, here's the list of applications confirmed to be affected, so far:

Code:

Application Version
>>> ACCUNETIX 
Accunetix Web Vulnerability Scanner (wvs) latest
>>> ALLADIN 
Aladdin eToken PKI Client (etc, etcp) 
(wintab32.dll) 5.0.0.65
>>> APPLE 
Safari 
(dwmapi.dll) <= 5.0.1
>>> AVAST 
Avast! (license file .avastlic) 
(mfc90loc.dll) <= 5.0.594
>>> ADOBE 
Adobe Dreamweaver 
(mfc90ptb.dll) CS4 (<= 10.0 build 4117) 
CS5 (<= 11.0 build 4909)
Adobe ExtendedScript Toolkit 
(dwmapi.dll) CS5 v3.5.0.52
Adobe Extension Manager (mxi,mxp) 
(dwmapi.dll) CS5 v5.0.298
Adobe Photoshop 
(wintab32.dll) CS2
Adobe Fireworks CS3, CS4 and CS5
Adobe Device Central 
(qtcf.dll) CS5
Adobe Illustrator (ait, eps) 
(aires.dll) CS4 v14.0.0
Adobe On Location (olproj) 
(ibfs32.dll) CS4 build 315
Adobe Indesign (indl, indp, indt, inx) 
(ibfs32.dll) CS4 v6.0
Adobe Premier (pproj, prfpset, prexport, prm, prmp, prpreset, prproj, prsl, prtl, vpr) 
(ibfs32.dll) Pro CS4 314
>>> BREAKPOINT 
HexWorkshop 
(pe932d.dll, pe936d.dll, pegrc32d.dll) 6.0.1.460.3
>>> BS.Player 
BS.player 
(mfc71loc.dll) latest
>>> CAMTASIA 
Camtasia Studio (cmmp,cmmtpl,camproj,camrec) 
(dwmapi.dll) <= 6 build 689
>>> CISCO 
Cisco Packet Tracer (pkt, pkz) 
(wintab32.dll) 5.2
>>> CITRIX 
Citrix ICA Client (ica) 
(pncachen.dll, wfapi.dll) v9.0.32649.0
>>> COREL 
Corel Draw (cmx,csl) 
(crlrib.dll) <= X3 v13.0.0.576
Corel PhotoPaint (cpt) 
(crlrib.dll) <= X3 v13.0.0.576
>>> DAEMON TOOLS 
DAEMON Tools Lite (mdf, mds, mdx) 
(mfc80loc.dll) 4.35.6.0091
>>> ETTERCAP <= NG 0.7.3
Ettercap 
(wpcap.dll) 
>>> GFI 
GFI Backup (gbc,gbt) 
(armaccess.dll) 2009 Home Edition
>>> GOOGLE 
Google Chrome 
(chrome.dll) latest
Google Earth (kmz) 
(quserex.dll) <= v5.1.3535.3218
>>> HTTRACK 
WinHTTrack Website Copier (whtt) 
(mfc71enu.dll, mfc71loc.dll) 3.43-7
>>> INTERVIDEO 
Intervideo WinDVD 
(cpqdvd.dll) 5
>>> INTUIT 
Quickbooks (des,qbo,qpg) 
(dbicudtx11.dll, mfc90enu.dll, mfc90loc.dll) Pro 2010
>>> IZARC 
IZArc (all archive formats) 
(ztv7z.dll) <= 4.1.2
>>> MEDIA PLAYER 
Mediaplayer Classic mpc (all formats) 
(iacenc.dll) <= 1.3.2189.0
Media Player Classic (3gp, 3gp2, flv, m4b, m4p, m4v, mp4, spl) 
(ehtrace.dll, iacenc.dll) <= v6.4.9.x
>>> MICROSOFT 
MS Powerpoint (odp,pot,potm,pptx,ppt,ppa,pps,ppsm,ppsx,pptm,pwz,sldm,sldx) 
(pptimpconv.dll, pp7x32.dll,rpawinet.dll) – verified on 32 & 64bit 2007 
2010
MS Word (docx) 
(rpawinet.dll) 2007
MS Virtual PC (vmc) 
(midimap.dll) 2007
Ms Visio (vtx) 
(mfc71enu.dll) 2003
MS Office Groove (wav, p7c) 
(mso.dll) 2007
MS Windows Mail (nws) 
(wab32res.dll) 
MS Windows Live Email (eml,rss) 
(dwmapi.dll) latest
MS Movie Maker (mswmm) 
(hhctrl.ocx) <= 2.6.4038.0
MS Vista Backup Manager (.wbcat) 
(fveapi.dll) 
MS Internet Connection Signup Wizard 
(smmscrpt.dll) latest
MS Internet Communication Settings (isp) 
(schannel.dll) latest
MS Group Convertor (grp) 
(imm.dll) latest
MS Clip Organizer (mpf) 
(twcgst.dll) <= 11.8164.8324 (XP SP3)
MS Snapshot viewer (snp) 
(mfc71enu.dll, mfc71loc.dll) 11
Windows Program Group / grpconv.exe (grp) 
(imm.dll) latest
MS Windows Address Book wab.exe/Contacts (wab, p7c, contact, group, vcf) 
(wab32res.dll) XP, Vista 
silently patched on Win7
MS RDP Client (rdp) 
(dwmapi.dll – Win7, ieframe.dll – XPSP3) v6.1.7600.16385 (Win7) 
v6.0.6001.18000 (XP SP3)
MS Visual Studio devenv.exe (cur, rs, rct, res) 
(NULL.dll) 2008
wscript (jse) 
(wshfra.dll) XP version
>>> MOZILLA 
Firefox (htm, html, jtx, mfp, shtml, xaml) 
(dwmapi.dll) <= 3.6.8
Mozilla Thunderbird (eml,html) 
(dwmapi.dll) 3.1.2
>>> NETSTUMBLER 
NetStumbler (ns1) 
(mfc71enu.dll, mfc71loc.dll) 0.4.0
>>> NVIDIA 
NVidia Driver (tvp) 
(nview.dll) latest
>>> OMNIPEEK 
Omnipeek Personal (pkt, wac) 
(mfc71loc.dll) 4.1
>>> OPERA 
Opera (htm, html, mht, mhtml, xht, xhtm, xhtl) 
(dwmapi.dll) <= 10.61
Opera widgets (wgt) 
>>> ORACLE 
Java Web Start (javaw.exe) (jnlp) 
(schannel.dll) 1.6 update 21
>>> PUTTY 
putty 
(winmm.dll) 0.60
>>> ROXIO 
Roxio Photosuite 
(homeutils9.dll) 9
Roxio MyDVD (dmsd,dmsm) 
(homeutils9.dll) 9
Roxio Creator DE 
(homeutils9.dll) <= 9.0.116
Roxi Central (c2d,cue,gi,iso,roxio) 
(homeutils10.dll, dlaapi_w.dll, sonichttpclient10.dll, tfswapi.dll) 3.6
>>> SKYPE 
Skype 
(wab32.dll) <= 4.2.0.169
>>> SWEETSCAPE 
010 Editor (bt,hex) 
(wintab32.dll) 
>>> TEAMMATE 
Teammate audit mgmt software suite 
(mfc71enu.dll) v8
>>> TEAMVIEWER 
Teamviewer (tvc, tvs) 
(dwmapi.dll) <= 5.0.8703
>>> TECHSMITH 
TechSmith Snagit (.snag) 
(dwmapi.dll) <= 10 build 788
TechSmith Snagit accessories (results) latest
TechSmith Snagit profiles (snagprof) latest
>>> uTorrent 
uTorrent 
(userenv.dll, shfolder.dll, dnsapi.dll, dwmapi.dll, iphlpapi.dll, 
dhcpcsvc.dll, dhcpcsvc6.dll, rpcrtremote.dll) 
.torrent (plugin_dll.dll) <= 2.0.3 / <= 2.0.3
>>> VIDEOLAN 
VLC media player (mp3) 
(wintab32.dll) <= 1.1.3 
(fixed in 1.1.4)
>>> WINZIP 
Winzip ? 
>>> NULLSOFT 
Winamp (669,aac,aiff,amf,au,avr,b4s,caf,cda) 
(wnaspi32.dll, dwmapi.dll) 5.581
>>> WIRESHARK 
Wireshark (5vw, acp, apc, atc,bfr,cap,enc,erg,fdc,pcap,…) 
(airpcap.dll, tcapi.dll) <= 1.2.10

source: (c/o Lechio) http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/

 

Is this reliable

Secunia published a similar list today, see below
http://secunia.com/advisories/windows_insecure_library_loading/

I think i'm tracking 3rd party patches using this one.

 

Not even a small fisherman manages to catch all that fish!

According to Secunia only 4 have managed to patch the problem. One of them VLC Media Player, which I believe to be used by so many people, and perhaps, most security unaware. That's great!

Let's hope all the rest follows in short days!

Edit: I haven't tested it, but I'm wondering, would, obviously excluding preventive measures, placing placebo *.dll files do the trick? I'm curious now, damn it!

 

Saw this and thought it might be of interest for some:
DllHijackAuditor : Smart Tool to Audit the DLL Hijack Vulnerability:
http://securityxploded.com/dllhijackauditor.php

 

http://support.microsoft.com/kb/2264107

 

@ Dermot7

Looks very useful Thanks for posting

He has some other good stuff on there too

 

It's unofficial. So, better trust Secunia's. Thanks.

 

Very well said, you are right on target.

 

Didnt MS include an easy fix for this problem by restricting the search path for DLL loading?

 

I've seen some people reporting problems with applications afterwards. It's a pain in the neck to have it all right, it seems.

 

It should not be too difficult, at least conceptually it should not be.
--Only search DLLs in Program Files, System etc directories.

I use SRP, and it basically is a stronger version of search path restriction, only files in the system directories (including DLLs) can be executed.

I wonder where the problem is coming from?

 

From hxxp://digitalacropolis.us/?p=113:

 

This is exactly the sort of info I've been hoping for, or at least along these lines; real world examples of infection fully explained in laymans terms Thanks MrBrian!

Not too surprising, a couple of easy to apply tips he gives to prevent the infection:

 

You're welcome .

 

Any chance a dll might be packed with a file itself, like without relying on a folder..?