New .lnk type vulnerability

Thanks and I see. Not sure why the earlier decision to not post youtube av-testing videos is related and applicable to giving a link to a page demonstrating a vulnerability being talked about in the thread, but OK. At least people can copy and paste I guess. Cheers.

 

From Windows DLL load hijacking exploits go wild:

 

From Binary Planting Update, Day 7:

 

Never heard of Program Manager Group Converter in the link MrBrian gave

Did a search on my comp and it didn't find it ? Don't have WebDav either.

 

hmmm...we've got another one!! so any idea whether LUA+Applocker would prevent this attack??

I am in half mind to shift to Ubuntu now.. but just hanging on to 7 because of the $$ i paid to have it.

 

From Slimming Down Windows Xp: The Complete Guide, Bold_Fortune's Complete Guide To Slimming Down Windows XP

For Program Manager Group Converter

For WebDav:

By now, you might already have disabled Webclient service since you probably don't need WEBDAV.

You can delete PROGMAN.EXE. I use XPLITE, to temporarily disable windows file protection. See the above link on how to do it safely. But first, do a system image backups(that you have validated that can restore successfully).

Unfortunately as quoted GRPCONV.EXE is needed for some programs to install. Don't delete!!! You can probably block GRPCONV.EXE from executing.

EDIT:
But then again, the most practical solution would be is to block or prompt for unknown or untrusted dlls and executables from untrusted folders by the use of SRP/AE/HIPS/Applocker or containment by opening files throught a sandboxed explorer/usb drives.

To emphasize:

 

From Better, Faster, Stronger: DLLHijackAuditKit v2:

 

I've verified that the proof-of-concept for VLC Media Player works. Also, Comodo Internet Security, when used as an anti-executable with the DLL interception option, blocks the DLL. The message box below appears if and only if the DLL is loaded.

I would expect SRP/AppLocker to also be effective when they're configured to block DLLs.

 

Does it not seem avoiding stupidness /sic will also prevent these exploits?

 

@ trismegistos

Hi, thanks for taking the time to put that together

Went and rechecked and i do have a few of those, and PG blocks them





Initially i searched for Program Manager Group Converter duh

You're right i have disabled Webclient service



I have looked at - http://www.graphixanstuff.com - before, but some ago, so had forgotten about it. Very indepth info, thanks for the reminder

*

@ MrBrian

If you ran the DLLHijackAuditKit you get a medal from me Good to know CIS blocks the .DLL, i expect ProcessGuard would too.

@ JRViejo

Re - Hackers post attacks for 40-plus apps.

That didn't take long only another few hundred to go

 

I didn't try DLLHijackAuditKit actually, so no medal .

For the record, CIS blocks these vulnerabilities only when the Image Execution Control Level is set to Aggressive and the appropriate extensions are specified in Files to Check. These are not the default settings.

 

@ MrBrian

About CIS = OK

If not the DLLHijackAuditKit what you you run/test with then ?

 

I used the POC for VLC Media Player at the biggest exploits site.

 

VMware Affected as well - http://www.kb.cert.org/vuls/id/707943

Testers take care.

 

.

I think i know which one you mean

 

Also noticed that Avast! is included.

edit: to be fixed in the next build.

 

Hmm, and I thought only TCP traffic needed to be blocked for ports 139/445, but looks like it's UDP as well...

http://www.kb.cert.org/vuls/id/707943

 

What is SMB?

 

Server Message Block, a networking protocol, used to share resources between parts of a network.

 

WinPatrol PLUS users can follow the instructions here for protection against DLL vulnerability

WinPatrol Registry Monitoring Scripts

 

It,s a pity that you can no longer do this with latest CIS v 5 RC. They removed dll control from Defence Plus. What a pitty!!

I posted a thread but seems developers will not take any notice.

http://forums.comodo.com/beta-corner-cis/how-cis-hips-is-going-to-protect-against-this-t60858.0.html