[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL
Rémi Denis-Courmont
remi at remlab.net
Fri Mar 10 17:57:56 CET 2017
Le perjantaina 10. maaliskuuta 2017, 14.52.38 EET Jean-Baptiste Kempf a
écrit :
> On Fri, 10 Mar 2017, at 14:46, Rémi Denis-Courmont wrote:
> > Says you. The known DLLs list is ostensibly a matter of system
> > configuration. So if you follow that logic, you need to DllOpen
> > EVERYTHING sinve you don't really have a fixed list. Which is actually
> > inpossible.
>
> Yet, this is using the default KnownDLL list.
But that is the whole point. This is only the _default_.
Microsoft can extend the list and make this fix redundant. The admin, maybe
the user, or an attacker can remove another entry from the list. It is
presumptuous to call that a fix if it depends on the default settings to work.
It is not a fix in my book. Especially not a for a security vulnerability.
There are already rumors that VideoLAN was strong-armed to add or leave open
this vulnerability. It will get worse: We have known this issue since at least
July of last year, and yet we only fixed it partially at the time. And lastly,
the board has issued a PR about how the issue is taken very seriously and will
be fixed.
So we can´t be content with these two half-assed fixes now.
--
雷米‧德尼-库尔蒙
https://www.remlab.net/
More information about the vlc-devel
mailing list