A DLL hijacking vulnerability has been discovered in CPython 3.6, 3.7 and 3.8 when running on Windows 7 or earlier.

An attacker who is able to place a DLL "api-ms-win-core-path-l1-1-0.dll" earlier on the DLL search path than the System32 directory could cause their file to be loaded and executed at interpreter startup instead of the system one.

Prior to Windows 7, this file does not exist and may be placed anywhere on the search path. After Windows 7, the DLL is loaded directly from its API set and not using the search path. Only Windows 7 is impacted.

Patches to ensure that only the System32 copy of the file is loaded are linked from the bug page below. The next release of each version (3.6.11, 3.7.7, 3.8.2) will include the fixes. Python 3.9 does not support Windows 7, and so is unimpacted.

Note that this attack will likely work against other applications on Windows 7, and it is not unique to CPython. Upgrading to a supported operating system is recommended.

CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8315 Bug page: https://bugs.python.org/issue39401

Cheers, Steve Dower and the Python Security Response Team