[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL

Rémi Denis-Courmont remi at remlab.net
Fri Mar 10 17:57:56 CET 2017

Le perjantaina 10. maaliskuuta 2017, 14.52.38 EET Jean-Baptiste Kempf a 
écrit :
> On Fri, 10 Mar 2017, at 14:46, Rémi Denis-Courmont wrote:
> > Says you. The known DLLs list is ostensibly a matter of system
> > configuration. So if you follow that logic, you need to DllOpen
> > EVERYTHING sinve you don't really have a fixed list. Which is actually
> > inpossible.
> Yet, this is using the default KnownDLL list.

But that is the whole point. This is only the _default_.

Microsoft can extend the list and make this fix redundant. The admin, maybe 
the user, or an attacker can remove another entry from the list. It is 
presumptuous to call that a fix if it depends on the default settings to work. 
It is not a fix in my book. Especially not a for a security vulnerability.

There are already rumors that VideoLAN was strong-armed to add or leave open 
this vulnerability. It will get worse: We have known this issue since at least 
July of last year, and yet we only fixed it partially at the time. And lastly, 
the board has issued a PR about how the issue is taken very seriously and will 
be fixed.

So we can´t be content with these two half-assed fixes now.


More information about the vlc-devel mailing list