Jump to content

DLL Hijacking vulnerability


Recommended Posts

16 hours ago, spudw2k said:

I'm sure this is an issue with a galaxy of software applications; nothing unique to AutoIt.

true; but the fact that everyone's a fool doesn't mean you should be one too.

when you run your AutoIt compiled software in production environment, where security is an issue (especially when you have a pedant CISSO on your back), this issue requires at least minor attention. luckily, if you develop a software with AutoIt and deploy it, you can mitigate the issue quite easily - even if only in a formal manner - like this:

regarding compiled AutoIt scripts: if they are part of an installed program (i.e. they reside in a protected folder, like Program Files) you need do nothing.

if designed to run as portable, just issue a warning in your website/documentation/EULA or wherever users are bound to see it: "do not launch app.exe directly from the download location; instead, create a new folder, copy or move app.exe to that folder. and launch it from there."

as for the AutoIt & SciTE installers - similar notice can be placed on the download page.

now, all these are formal means of mitigation; they work by putting the responsibility of security in the users' hands. surprisingly, this is actually acceptable by common security norms.

however, if the AutoIt dev team wishes to provide a technical solution, it should not be that hard - make autoit3.exe load DLL's in non-default path order, i.e. first use the ones located in Windows installation path, and than use the ones in the exe path. this link has relevant info.

anyways, as for the AutoIt & SciTE installers - i think the mentioned notice is sufficient. you install AutoIt very rarely (compared to running a script, native or compiled), so i don't think messing with it is worthwhile.

Signature - my forum contributions:

Spoiler

UDF:

LFN - support for long file names (over 260 characters)

InputImpose - impose valid characters in an input control

TimeConvert - convert UTC to/from local time and/or reformat the string representation

AMF - accept multiple files from Windows Explorer context menu

DateDuration -  literal description of the difference between given dates

Apps:

Touch - set the "modified" timestamp of a file to current time

Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes

SPDiff - Single-Pane Text Diff

 

Link to comment
Share on other sites

3 hours ago, orbs said:

now, all these are formal means of mitigation; they work by putting the responsibility of security in the users' hands. surprisingly, this is actually acceptable by common security norms.

Of course it is.  Certainly a company must take measures when are where they can without inhibiting the user, but the best way to protect your users is to educate them how to protect themselves.  Now a disclaimer that no one reads when they login to a system...that's not what I'm talking about.  That's just for legal purposes; i'm talking about actual user awareness training.  Much in the same way, a disclaimer on a website only has the value of CYA measure for the software dev.  

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...