About Winmerge & Microsoft Security Advisory (2269637)
Windows visual diff and merge for files and directories
Brought to you by:
christianlist,
grimmdp
Hi,
It turns out that Winmerge 2.12.4.0 is affected by the DLL hijacking security issue detailed in this MS bulletin: http://www.microsoft.com/technet/security/advisory/2269637.mspx, as shown by executing DLLHijackAuditKit v2 (http://blog.metasploit.com/2010/08/better-faster-stronger.html) on a station with Winmerge installed.
Please, could you plan any very short term fix?
TIA
No short term fix for 2.12 at least. I don't even have environment I could build 2.12 anymore (needing old version of Visual Studio).
If its about plugins, they are not installed by default. And using them is open to many kinds of nasty bugs.
For next release I can just disable plugins loading totally (about time!).
This is a serious issue FMPOV (and not only mine ;-), so not really a problem if it is not in a 2.12 patch, the important is to get a version fixing this issue, whatever it is 2.13 or something else.
Concerning the relation to "plugins", actually I had to choose a category while submitting the bug, so I picked "plugins" that was the one I expect to be more likely affected. However, as the issue is present as soon as LoadLibrary is used without specifying the full path for the DLL, I think other parts of the application may be concerned. BTW, DLLHijackAuditKit v2 indicated that Winmerge was affected at least when loading mfc71loc.dll. And as it loads the app itself, I guess this is default behavior not related to plugins...
Here is the output I get on W7 with DLLHijackAuditKit v2:
[*] Application: winmergeu.exe
[*] Successfully exploited winmergeu.exe with .winmerge using mfc71enu.dll
[*] Successfully exploited winmergeu.exe with .winmerge using mfc71loc.dll
HTH
Well, those DLLs are loaded by MS's other runtime DLLs, not by WinMerge code.
Which means we have to update to later(/latest) runtime versions. Which is dead end for 2.12.x versions.
2.13.x already uses VS 2005 runtimes. So if those runtimes are not vulnerable then the bug is already fixed in 2.13.x. If not, then we need to update to VS2008 runtimes. Luckily that is much less painful than update from VS 2003 runtimes was.
Getting 2.14.x stable release out takes few months. There is no really way to make it fast process. Somebody needs to update documentation, we need to give translators time to update translations. And there are plenty of bugs to fix.
I saw that Takashi add a changeset with the name "Prevent DLL hijacking" to his Japanese WinMerge fork. Is this something we can use?
http://bitbucket.org/sdottaka/winmerge-v2/changeset/f497bec43943
Committed to SVN trunk. Completed: At revision: 7244
List of vulnerable applications URL picked from duplicate bug (#3064516):
http://secunia.com/advisories/windows_insecure_library_loading/
This got a lot more publicity than I thought of and WinMerge got its own Secunia advisory for this:
http://secunia.com/advisories/41143
So there is no other way than do new 2.12.x stable release. It will be painful and somewhat risky thing to do as it will be a lot more than this security fix. But we can't leave all users vulnerable either.
Takashi, can you merge/port your fix to R2_12 branch also?
>Takashi, can you merge/port your fix to R2_12 branch also?
Committed to R2_12 branch. Completed: At revision: 7259
Changing resolution to fixed since the fix is committed to SVN and also released as latest experimental release.
Stable release is not yet available and it is best to keep this bug item open until that happens to avoid lots of duplicate bugs.
Does this mean a new stable release will be release?
I also saw the note on the user forums saying the current release is infected with malware, so maybe it be removed?
Do you really think we distribute malware for users for over an year? The way virus checkers and other malware finders works means there will be occasional false positives. This seems to happen once in a year for WinMerge (InnoSetup installer seems to cause many false alarms).
The release happens when people have time to do all the work for it.