[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL

Rémi Denis-Courmont remi at remlab.net
Mon Mar 13 20:05:32 CET 2017


Le maanantaina 13. maaliskuuta 2017, 6.43.30 EET Steve Lhomme a écrit :
> There are obviously many levels on which the app can be compromised. And
> obviously we can't do anything about a recompiled version with malware
> added (well, in the next Windows it's possible to disallow running apps not
> coming from the store).
> 
> But in this case the idea is not to tamper the software at all.

What? Tampering with the manifest is definitely tampering with the software, 
as much, if not more so than tampering with the application installation 
directory or non-executable asset files.

> You can update it and the hack still remains.
> Nothing is even installed on the infected/spied on computer.
> So we should definitely fix that kind of attack.

WTF? Obviously not. We cannot prevent the user from running malware. Whether 
the malware is installed or portable is irrelevant. Such protection is up to 
the operating system and the antivirii snake oil^W^Wsoftware.

> Having the manifest embedded is the first step.

Straw man argument.

I never said that we should or should not embed the manifest.

> But it's always possible to remove it (and a potential exe signature).
> The software still looks legit and run the same.

And that´s why trying to protect against it is futile, and claiming to fix the 
alleged vulnerability lies somewhere between misleading and wrong.

> So we should also avoid "implib loading" those DLLs that are not known DLLs
> and preloaded for anyone to use at boot.

> We can load them later, only from System32 when we need them, as patches
> show.

That only makes sense if you verify the integrity of "unknown" DLLs in 
System32 before you link them at run-time. The patches do _not_ do that (and I 
doubt there is a reasonable way to do it). Also even then, it would still be 
vain since the attacker can still replace VLC´s own DLLs or add a trojan in 
the plugins or Lua directories.


If you can add/remove/rename/modify files in the VLC installation directory, 
you own the VLC user. If you can run an arbitrary program, you own the user 
running the program.

-- 
雷米‧德尼-库尔蒙
https://www.remlab.net/



More information about the vlc-devel mailing list