Back to list
Defense in depth -- the Microsoft way (part 5): sticky, persistent vulnerabilities
Jul 27 2013 04:00PM
Stefan Kanthak (stefan kanthak nexgo de)
with Windows XP (about 12 years ago) Microsoft introduced the
so-called "side-by-side" technology to overcome "DLL hell".
With "side-by-side" technology several versions of a DLL can be
installed on a system at the same time, for global use by any
application; the "side-by-side" store is located in the
subdirectory "WinSxS" of the "Windows" directory.
Applications, for example "filename.exe", that need to use/load a
"side-by-side" DLL have to provide a 'Manifest', either as resource
linked into the application or as an external file named
"filename.manifest" to let the loader locate the "side-by-side" DLL.
Microsoft NEVER purges OUTDATED and/or VULNERABLE DLLs from the
"side-by-side" store, and Microsoft does NOT provide a utility to
cleanup the mess^H"DLL hell" accumulated in the "side-by-side" store.
The result: every application can request via 'Manifest' to load a
VULNERABLE version of any DLL present in the "side-by-side" store,
effectively circumventing ANY security patches installed for these
If you think now: but there is a publisher configuration
that redirects old versions to the patched version: the publisher
configuration is overridden by a per-application configuration,
cf. <http://msdn.microsoft.com/library/ee710783.aspx> and
Common candidates to tinker with on Windows XP and 2003 are
(see Start->Run CMD.EXE /K dir /S /B %SystemRoot%\WinSxS\*.DLL):
- WINHTTP.DLL (installed 3 times on a fully patched 2003)
- COMCTL32.DLL (installed 3 times on a fully patched XP,
and 4 times on a fully patched 2003)
- GDIPLUS.DLL (installed 4 times on a fully patched XP,
and 3 times on a fully patched 2003)
- MSVCRT.DLL & MSVCIRT.DLL
For Windows Vista and later: run the command given above and see yourself!
PS: if you find any of these "side-by-side" DLLs in %ProgramFiles%,
%ProgramFiles(x86)% or other locations: ask the developers/vendors
who installed them there to take a REALLY THOROUGH look at
And don't forget to file bug reports against any product that
installed OUTDATED and/or VULNERABLE DLLs!
[ reply ]
Copyright 2010, SecurityFocus