Mozilla Compatible Silverlight 4 Plugin Requires Loading DLLs from CWD
September 1, 2010 2 Comments
I visited a site yesterday in Chrome that tried to load Silverlight to provide a video player. I have KB2264107 installed and have globally disabled loading of DLLs from the current working directory in order to mitigate luring attacks against apps that use the default insecure DLL loading behavior of LoadLibrary(). Just like the Java plugin for Mozilla, Chrome generated a big fat bonk dialog trying to load the DLLs that the Silverlight plugin uses. The specific missing file is agcore.dll, which is found in “C:\Program Files (x86)\Microsoft Silverlight\4.0.50524.0” on my system.
I tried creating a symlink to agcore,dll so that agcore.dll is in the same directory as Chrome.exe, which fixes the bonk but Silverlight doesn’t work. I just end up with a black box where the movie player should be. I also tried adding the Silverlight directory to $env:path which removed the bonk but, instead, I got the “Install Microsoft Silverlight” button. I tried various combinations of symlinking DLLs and messing with the $env:path but I didn’t arrive at a combination that can actually work.
The only solution that I found is to dial the CWDIllegalInDllSearch value for Chrome and Firefox to 2 (DLLs not allowed to load from CWD if CWD is any remote, network location) instead of 0xffffffff (it also works to change this globally). I then have to hope that Firefox and Chrome are careful about how they are using CWD. I hope they are setting CWD just for loading the installed plugins in “Prgram Files” but cannot be lured into loading some evil DLL from a spurious location when doing something like opening an HTML document on a USB stick.
PS> Get-ItemProperty chrome.exe, firefox.exe | select pspath,cwdillegalindllsearch | fl
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVer
sion\Image File Execution Options\chrome.exe
CWDIllegalInDllSearch : 2
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVer
sion\Image File Execution Options\firefox.exe
CWDIllegalInDllSearch : 2
Brian Reiter's Thoughtful Code 
I ran into this EXACT problem last night, Feb 8, 2011 right after patch Tuesday security updates. Before that, I’d been running silverlight just fine with this key set to 0xffffffff. It took me hours to put it together that this was the culprit. So I have the key set to 2 now, but I feel much less secure in my windows machine overall. Fucking Microsoft proving once again how security is a damn afterthought in all their products
I’m not sure who is to blame exactly. Java has the same problem as Silverlight with Firefox and Chrome. This may be a feature of the way NSAPI plugin discovery and loading is designed on Windows.
COM/ActiveX plugins on IE don’t have the same problem. Silverlight, for example, runs fine on IE with CWD DLL loading off (-1).
The situation isn’t so bad a malicious DLL has to find its way onto your computer or a removable drive plugged into your conpuuter and you have to interact with some code in your browser that mmanages to coerce it to load that pre-planted DLL. To close down this attack, look into AppLocker DLL rules.
AppLocker is a win7 enterprise/ultimate feature. You combine it with using a LUA account that is not a member of Administrators. It is a very cool security policy tool. You can effectively switch the execution policy of Windows from run everything to only execute trusted (installed) code.