[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL

Jean-Baptiste Kempf jb at videolan.org
Fri Mar 10 18:03:02 CET 2017


On Fri, 10 Mar 2017, at 17:57, Rémi Denis-Courmont wrote:
> > Yet, this is using the default KnownDLL list.
> 
> But that is the whole point. This is only the _default_.

Yes, and that fixes the issue for most configurations.

> Microsoft can extend the list and make this fix redundant. The admin,
> maybe 
> the user, or an attacker can remove another entry from the list. It is 
> presumptuous to call that a fix if it depends on the default settings to
> work. 
> It is not a fix in my book. Especially not a for a security
> vulnerability.

I'm listening to a fix according to your book.

> There are already rumors that VideoLAN was strong-armed to add or leave
> open 
> this vulnerability. It will get worse: We have known this issue since at
> least 
> July of last year, and yet we only fixed it partially at the time.

If you modify the KnownDLL list, you are root, and your system is
compromised,
and we cannot do anything. We cannot fix Windows.

> lastly, 
> the board has issued a PR about how the issue is taken very seriously and
> will be fixed.

Where did the _board_ issue any PR?

Moreover, the security issue used by the CIA is not that one at all.

> So we can´t be content with these two half-assed fixes now.

We're listening to your ideas.

-- 
Jean-Baptiste Kempf -  President
+33 672 704 734


More information about the vlc-devel mailing list