On Fri, 27 Aug 2010 07:20:22 EDT, Larry Seltzer said: > Why wouldn't eliminating the CWD from the DLL search order fix the problem? > I asked Microsoft about this ( > http://blogs.pcmag.com/securitywatch/2010/08/list_of_dll_vulnerability_wind.php) > and they said the obvious answer, that it would break too many customer > installations. And I guess it would break a bunch of them, but there really > isn't a good reason for anyone to load a DLL from the CWD, is there? The mentality that "Our program only works with version 1.14 of the DLL so we'll ship a copy of it in the directory" is too entrenched. That's why you'll see a box that has 4 or 5 different copies of the Java RTE on it. Of course, on a *sane* system you'd use a variable like LD_LIBRARY_PATH to say where to find the libraries (and maybe apply some W^X exclusion to path components). But there's just too many 3rd party packages that would have to be updated to make it palatable. Remember - Microsoft doesn't have any real committment to deliver a truly secure system to you. It has a committment to deliver just enough security and other features so it can deliver dollars to its shareholders. We all *know* what it would take to secure it - and it won't happen because the resulting paradidm shits will torpedo sales.
Attachment:
pgpiuAneEuXj1.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/