Alias wrote:
> There are updates today for the MS .dll hacking problem for almost
> everything. I got the following programs needing the update:
>
> Firefox
> Seamonkey
> Thunderbird
> Skype
> Chrome
>
> There may be more programs needing the update, so check them.
>
Looks like a regular release.
https://wiki.mozilla.org/Releases/Firefox_3.6.9
List of security fixes.
http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.9
If you look at the wording on this one, it's a shortcoming of the
coding on Firefox, rather than being a flat out Windows issue.
"Windows XP DLL loading vulnerability"
http://www.mozilla.org/security/announce/2010/mfsa2010-52.html
"Firefox attempts to load dwmapi.dll upon startup as part of its
platform detection, so on systems that don't have this library,
such as Windows XP, Firefox will subsequently attempt to load
the library from the current working directory. An attacker
could use this vulnerability to trick a user into downloading
a HTML file and a malicious copy of dwmapi.dll into the same
directory on their computer and opening the HTML file with
Firefox, thus causing the malicious code to be executed.
If the attacker was on the same network as the victim, the
malicious DLL could also be loaded via a UNC path. The attack
also requires that Firefox not currently be running when it
is asked to open the HTML file and accompanying DLL."
Note: Firefox users on Windows versions earlier than Vista <---- later than ???
were not vulnerable to this attack because dwmapi.dll
legitimately exists in Vista and later versions and
is successfully loaded by Firefox before attempting
to load the planted DLL."
What that note doesn't explain, is for the Windows XP users this
does apply to, how is Firefox downloading into the same directory
as the executable ? My download folder is just a download folder.
The place HTML files are downloaded, isn't the same place as the
rest of the install directory, as far as I know. It would take
some outright cleverness on the part of the user, to set the
download directory so it was the same as the executable folder used
by Firefox. Presumably, there are path loading rules, that prevent
a tool from taking code from just anywhere.
So this one strikes me, as being "a stretch". You have to go
out of your way, to be vulnerable. And also, since this *is* a
Windows 7 group, the Firefox bug doesn't apply to Windows 7.
If you wanted to be sure, and you're on Windows 7, search
your C: drive for dwmapi.dll and see if there is a copy already
there that Firefox would be loading.
*******
With regard to Skype, do they have release notes of any merit ?
I couldn't find anything interesting there.
HTH
Paul
1 AM, Alias wrote: