Defense in depth -- the Microsoft way (part 94): BACKDOOR planted in AppLocker
微软在Edge浏览器和Windows WebView中安装未受保护的DLL文件domain_actions.dll和well_known_domains.dll,易受篡改;AppLocker默认阻止用户可写位置执行DLL,但微软更新后允许这些DLL绕过限制。 2025-9-23 03:35:24 Author: seclists.org(查看原文) 阅读量:2 收藏
微软在Edge浏览器和Windows WebView中安装未受保护的DLL文件domain_actions.dll和well_known_domains.dll,易受篡改;AppLocker默认阻止用户可写位置执行DLL,但微软更新后允许这些DLL绕过限制。 2025-9-23 03:35:24 Author: seclists.org(查看原文) 阅读量:2 收藏
Full Disclosure mailing list archives
From: Stefan Kanthak via Fulldisclosure <fulldisclosure () seclists org>
Date: Mon, 22 Sep 2025 16:18:01 +0200
Hi @ll, since several years Microsoft installs the DLLs domain_actions.dll and well_known_domains.dll as part of their Edge browser as well as Windows' WebView component into each and every user profile, UNPROTECTED against tampering. On Windows 11 24H2 their paths are currently "%LOCALAPPDATA%\Microsoft\Edge\User Data\Domain Actions\3.0.0.16\domain_actions.dll" "%LOCALAPPDATA%\Microsoft\Edge\User Data\Domain Actions\3.0.0.16\well_known_domains.dll" "%LOCALAPPDATA%\Microsoft\Windows\SharedWebView\EBWebView\Domain Actions\3.0.0.16\domain_actions.dll" "%LOCALAPPDATA%\Microsoft\Windows\SharedWebView\EBWebView\Domain Actions\3.0.0.16\well_known_domains.dll" Security-conscious Windows administrators of course block execution of DLLs in user-writable locations since more than 24 years via SAFER alias Software Restriction Policies, AppLocker or WDAC alias Windows Defender Application Control: see for example "Using Software Restriction Policies to Protect Against Unauthorized Software" <https://technet.microsoft.com/en-us/library/cc507878.aspx> or my own <https://skanthak.hier-im-netz.de/SAFER.html> The release notes for Edge 135.0.3179.11 (Beta) published 2025-03-13 and the release notes for Edge 135.0.3179.54 (Stable) published 2025-04-03 contain the following tell-tale section: | Fixes | * Fixed an issue where AppLocker blocked well-known DLLs such as | well_known_domains.dll and domain_actions.dll. In other words: in March/April 2025 Microsoft planted a BACKDOOR in AppLocker which allows execution of said DLLs! Remediation: add EXPLICIT deny rules to your AppLocker configuration! stay tuned, and far away from UNTRUSTWORTHY crap Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Defense in depth -- the Microsoft way (part 94): BACKDOOR planted in AppLocker Stefan Kanthak via Fulldisclosure (Sep 22)
- <Possible follow-ups>
- Defense in depth -- the Microsoft way (part 94): BACKDOOR planted in AppLocker Stefan Kanthak via Fulldisclosure (Sep 22)
文章来源: https://seclists.org/fulldisclosure/2025/Sep/66
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh