ID: kb000035.htm

Question:

How to prevent DLL Hijacking?

Answer:

If the computer is not properly protected by antivirus softwares (always updated), it could happen that a malware copies inside the applications working folder (including for example Movicon's folder) a DLL named as a system DLL, but containing a malicious software. In this case the application, following the search path that starts from the local folder, could load this DLL before finding the right one in the operating system.

To prevent this you can apply the instructions in the following Microsoft Security Bulletin:

[…

Disable loading of libraries from the current working directory

According to Microsoft Security Advisory 2269637:

Note This workaround requires installation of the tool described in Microsoft Knowledge Base Article 2264107.

Microsoft has released a tool which allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis.

Customers who are informed by their vendor of an application being vulnerable can use this tool to help protect against attempts to exploit this issue.

After the update listed in KB article 2264107 has been installed, the following registry value can be used to remove the current working directory from the default DLL search order:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

"CWDIllegalInDllSearch"=dword:ffffffff

Note that making this change may cause some applications to not behave properly.

…]

For more information see also the link to the full Microsoft document:

http://www.kb.cert.org/vuls/id/707943

References: