Re: [Security-announce]CVE-2020-8315: Windows 7 DLL hijack

Steve Dower, Thanks for sharing this with us. Any workaround to mitigate this? Cheers, Marlon Petry On Tue, Jan 28, 2020, 23:48 Steve Dower <steve.dower@python.org> wrote:
A DLL hijacking vulnerability has been discovered in CPython 3.6, 3.7 and 3.8 when running on Windows 7 or earlier.
An attacker who is able to place a DLL "api-ms-win-core-path-l1-1-0.dll" earlier on the DLL search path than the System32 directory could cause their file to be loaded and executed at interpreter startup instead of the system one.
Prior to Windows 7, this file does not exist and may be placed anywhere on the search path. After Windows 7, the DLL is loaded directly from its API set and not using the search path. Only Windows 7 is impacted.
Patches to ensure that only the System32 copy of the file is loaded are linked from the bug page below. The next release of each version (3.6.11, 3.7.7, 3.8.2) will include the fixes. Python 3.9 does not support Windows 7, and so is unimpacted.
Note that this attack will likely work against other applications on Windows 7, and it is not unique to CPython. Upgrading to a supported operating system is recommended.
CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8315 Bug page: https://bugs.python.org/issue39401
Cheers, Steve Dower and the Python Security Response Team _______________________________________________ Security-announce mailing list -- security-announce@python.org To unsubscribe send an email to security-announce-leave@python.org https://mail.python.org/mailman3/lists/security-announce.python.org/

Windows 7 is no longer supported by Microsoft. Wikipedia says: * Mainstream support ended on January 13, 2015. * Extended support ended on January 14, 2020. I'm not sure that this specific Python issue is the worst issue of using Windows 7. A workaround is to upgrade Windows to a maintained version, no? Only Windows 7 is affected. The other option is to wait for a Python release. Victor Le mer. 29 janv. 2020 à 14:01, Marlon Luis Petry <marlonpetry@gmail.com> a écrit :
Steve Dower,
Thanks for sharing this with us.
Any workaround to mitigate this?
Cheers, Marlon Petry
On Tue, Jan 28, 2020, 23:48 Steve Dower <steve.dower@python.org> wrote:
A DLL hijacking vulnerability has been discovered in CPython 3.6, 3.7 and 3.8 when running on Windows 7 or earlier.
An attacker who is able to place a DLL "api-ms-win-core-path-l1-1-0.dll" earlier on the DLL search path than the System32 directory could cause their file to be loaded and executed at interpreter startup instead of the system one.
Prior to Windows 7, this file does not exist and may be placed anywhere on the search path. After Windows 7, the DLL is loaded directly from its API set and not using the search path. Only Windows 7 is impacted.
Patches to ensure that only the System32 copy of the file is loaded are linked from the bug page below. The next release of each version (3.6.11, 3.7.7, 3.8.2) will include the fixes. Python 3.9 does not support Windows 7, and so is unimpacted.
Note that this attack will likely work against other applications on Windows 7, and it is not unique to CPython. Upgrading to a supported operating system is recommended.
CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8315 Bug page: https://bugs.python.org/issue39401
Cheers, Steve Dower and the Python Security Response Team _______________________________________________ Security-announce mailing list -- security-announce@python.org To unsubscribe send an email to security-announce-leave@python.org https://mail.python.org/mailman3/lists/security-announce.python.org/
----------------------------- Python Security Response Team Unsubscribe: https://mail.python.org/mailman/options/psrt/vstinner%40python.org
-- Night gathers, and now my watch begins. It shall not end until my death.
participants (2)
-
Marlon Luis Petry
-
Victor Stinner