[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL

Pierre Ynard linkfanel at yahoo.fr
Tue Mar 14 04:57:04 CET 2017

These patches sure look like snake oil to me.

To me this is akin to security through obfuscation. This is merely
embedding and burying loading and security mechanisms into binary blobs
and compiled machine code so they're less accessible to by-pass.

Doesn't embedding the manifest make it actually less transparent, and
harder to check if it was forged?

Can an attacker not drop into a plugin directory a malware VLC plugin
containing calls to reset the loader path preferences? Where is your
dear security strategy after that plugin gets auto-loaded, on the floor?

Doesn't loading DLLs at run-time lower symbol checks and make it easier
to craft a counterfeit library? Doesn't it make it easier to inject
attacker code after using a vector like the above one to ruin your dear
secure loading policy?

Tampering with the VLC install directory is tampering with the VLC
install, no matter how much you try to sugarcoat it. Just because it's
easier if you don't have to recompile VLC or patch compiled code or edit
those pesky binary files, doesn't make it less tampering. And you're not
protecting against tampering, you're merely burying "sensitive" parts
deeper into binary code. This is snake oil. These patches improve the
situation like obfuscation improves security.

If you want to bloat winvlc.c with security duties of the system loader
and package distribution, because you believe they're safer there and
less likely to be stripped or by-passed, why not also put there more
countermeasures like cryptographic integrity of installed binaries at
init, and scanning of installation directory for rogue wininet.dll, and
self-protect encryption of the signature table too? If you want more
ideas I hear there were good concepts to pick from the Skype binaries.
This sickens me.

So the CIA just grabbed one low-hanging fruit on the trojan-horse tree.
Let's hurry to push many fixes to show that we're very concerned,
reactive and serious that this issue is taken care of and this one
vector is definitely blocked now, woooo! Good thing the CIA didn't drop
a malware VLC plugin, otherwise instead of a few system libraries we'd
be working on rewriting the whole plugin architecture!

I like this statement: https://pbs.twimg.com/media/C6V78U1WYAEaEvM.jpg
Not afraid, educational, points out where the real problem is. I don't
like VideoLAN's schizophrenic PR posture.

Overall, how disappointing again.

Pierre Ynard
"Une âme dans un corps, c'est comme un dessin sur une feuille de papier."

More information about the vlc-devel mailing list