#2029 About Winmerge & Microsoft Security Advisory (2269637)

Branch_+_Trunk
closed-fixed
None
9
2013-02-03
2010-08-30
Requin
No

Hi,

It turns out that Winmerge 2.12.4.0 is affected by the DLL hijacking security issue detailed in this MS bulletin: http://www.microsoft.com/technet/security/advisory/2269637.mspx, as shown by executing DLLHijackAuditKit v2 (http://blog.metasploit.com/2010/08/better-faster-stronger.html) on a station with Winmerge installed.
Please, could you plan any very short term fix?
TIA

Discussion

1 2 > >> (Page 1 of 2)
  • Requin
    Requin
    2010-08-30

    • priority: 5 --> 9
     
  • Kimmo Varis
    Kimmo Varis
    2010-08-30

    No short term fix for 2.12 at least. I don't even have environment I could build 2.12 anymore (needing old version of Visual Studio).

    If its about plugins, they are not installed by default. And using them is open to many kinds of nasty bugs.

    For next release I can just disable plugins loading totally (about time!).

     
  • Requin
    Requin
    2010-08-30

    This is a serious issue FMPOV (and not only mine ;-), so not really a problem if it is not in a 2.12 patch, the important is to get a version fixing this issue, whatever it is 2.13 or something else.
    Concerning the relation to "plugins", actually I had to choose a category while submitting the bug, so I picked "plugins" that was the one I expect to be more likely affected. However, as the issue is present as soon as LoadLibrary is used without specifying the full path for the DLL, I think other parts of the application may be concerned. BTW, DLLHijackAuditKit v2 indicated that Winmerge was affected at least when loading mfc71loc.dll. And as it loads the app itself, I guess this is default behavior not related to plugins...

     
  • Requin
    Requin
    2010-08-31

    Here is the output I get on W7 with DLLHijackAuditKit v2:
    [*] Application: winmergeu.exe
    [*] Successfully exploited winmergeu.exe with .winmerge using mfc71enu.dll
    [*] Successfully exploited winmergeu.exe with .winmerge using mfc71loc.dll
    HTH

     
  • Kimmo Varis
    Kimmo Varis
    2010-08-31

    Well, those DLLs are loaded by MS's other runtime DLLs, not by WinMerge code.

    Which means we have to update to later(/latest) runtime versions. Which is dead end for 2.12.x versions.

    2.13.x already uses VS 2005 runtimes. So if those runtimes are not vulnerable then the bug is already fixed in 2.13.x. If not, then we need to update to VS2008 runtimes. Luckily that is much less painful than update from VS 2003 runtimes was.

    Getting 2.14.x stable release out takes few months. There is no really way to make it fast process. Somebody needs to update documentation, we need to give translators time to update translations. And there are plenty of bugs to fix.

     
  • Kimmo Varis
    Kimmo Varis
    2010-08-31

    • labels: 591208 -->
     
  • Committed to SVN trunk. Completed: At revision: 7244

     
  • Kimmo Varis
    Kimmo Varis
    2010-09-13

    List of vulnerable applications URL picked from duplicate bug (#3064516):
    http://secunia.com/advisories/windows_insecure_library_loading/

    This got a lot more publicity than I thought of and WinMerge got its own Secunia advisory for this:
    http://secunia.com/advisories/41143

    So there is no other way than do new 2.12.x stable release. It will be painful and somewhat risky thing to do as it will be a lot more than this security fix. But we can't leave all users vulnerable either.

    Takashi, can you merge/port your fix to R2_12 branch also?

     
  • Kimmo Varis
    Kimmo Varis
    2010-09-13

    • milestone: 102450 --> Branch_+_Trunk
     
1 2 > >> (Page 1 of 2)