Re: Is it OK to enable SafeDllSearchMode?
On Jul 9, 8:13 pm, Gary Smith <bitbuc...@example.com> wrote:
> Assuming that I'm reading Knowledge Base article 306850 correctly -- and
> that's a big assumption because it's VERY badly written -- no reasonable
> appplication could be affected. The alleged security improvement is also
> pretty far-fetched, although the performance issue is plausible. There's
> no way to tell what applications might be affected except to try it and
> see if anything complains about being unable to find DLLs. I've made the
> registry change on my system just for the heck of it. We'll see what
> happens.
That article appears to describe a specific situation that requires
the SafeDllSearchMode key to be enabled. From what I've read, the
main reason to enable that key is for security, not performance. A
better description is available here:
http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/05sconfg.mspx
"The fact that the current working directory is searched before the
system directories can be used by someone with access to the file
system to cause a program launched by a user to load a spoofed DLL. If
a user launches a program by double-clicking a document, the current
working directory is actually the location of the document. If a DLL
in that directory has the same name as a system DLL in that location
will then be loaded instead of the system DLL. This attack vector was
actually used by the Nimda virus.
To combat this, a new setting was created in Service Pack 3, which
moves the current working directory to after the system directories in
the search order. To avoid application compatibility issues, however,
this switch was not turned on by default."
And if an application does break with the enabling of that key, the
error may not be an inability to find a DLL. See one scenario
mentioned here:
http://books.google.com/books?id=yZ...ts=GR5YBhr-gG&sig=djOngoYEjBE1kxAjLLD25rxjuyQ
Besides claiming that breakage is low (which might be true for him,
but I'm sure I run some applications that he doesn't), the author says
that SQL 2000 loaded SFC.dll (Starfighter Foundation Classes) from its
working directory, but after enabling SafeDllSearchMode, it
incorrectly loaded SFC.dll (system file checker) from the system
directory. He also mentions that Outlook 2000 add-ins will break if
the key is enabled.
More subtle problems could occur too:
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch10n.mspx
"Applications will be forced to search for DLLs in the system path
first. For applications that require unique versions of these DLLs
that are included with the application, this entry could cause
performance or stability problems."
It's those potential subtle problems that worry me. And what about
tools such as PartitionMagic? You can't really test those to see if
they break. I probably won't enable it, and I'll just live with the
security risk.
One thing that might be helpful in determining whether an app might
break or not is to see when the last update for it became available.
If it was after August 2004 (the date that XP SP2 was released, in
which the key became enabled by default), then the app is probably
compatible with the enabling of the key. If it was before that date,
then the app might not be compatible with it.