[openssl-users] Unable to run application after Windows updates
Russ Loucks
rjl at mnmicro.net
Thu Jun 23 19:50:43 UTC 2016
On Jun 23, 2016, at 1:44 PM, Jakob Bohm <jb-openssl at wisemo.com> wrote:
> On 23/06/2016 18:25, Russ Loucks wrote:
>> We have an application running on Windows 8.1 (HP) tablets that is mostly statically linked except for a few libraries, including the SSLEAY32 and LIBEAY32 libraries.
>>
>> We're using version 1.0.2 of the OpenSSL libraries.
>>
>> We ship our executable and these two libraries and then set a PATH entry in the registry that points to our 'lib' directory so the system/library loader can find the libraries at load/run time.
>>
>> There are two other packages on these tablets we ship that include older versions of the OpenSSL libraries - Intel TXE Components/TCS (OpenSSL version 1.0.0g) and HP Registration service (1.0.0d).
>>
>> Works well.
>>
>> Until the user runs Windows updates....
>>
>> Then, when our application starts we get a 'The ordinal 3905 could not be located in the dynamic link library 'C:\program Files\<our installdir>\lib\SSALEAY32.dll'.
>>
>> I've tried the following - all to no avail:
>> removing the HP and Intel OpenSSL libraries (but safe-keeping them for later re-installation)
>> Re-installing our application and OpenSSL libraries
>> Interestingly, the OpenSSL libraries in the HP and Intel installations do not change after the Windows update - they're the same versions as before the update....
>>
>> I'm stumped. Any clues?
>>
>> I'm guessing the best course of action is to statically link the OpenSSL libs into our app. Is that a good plan?
>>
>> Thanks for the help.
>>
>>
> Over the past few years, Microsoft has been phasing in a security
> improvement (and it is an improvement) to protect against remote
> attackers dropping trojanized replacement DLLs in an unsecured
> (document) directory which they have reason to believe will be
> the current directory when the attacked program is loaded.
> This change consists of a change in the default search order
> for DLLs where no explicit directory is passed to LoadLibrary/
> LoadLibraryEx, and a very similar change to the search order for
> DLLs that are named (with no path obviously) in the import tables
> in programs and other DLLs.
>
> The recommended best practice for DLLs loaded by linking to an
> import library (which contains the needed entries for the import
> table) is to leave OS owned standard DLLs in System32 (SysWoW64
> for 32 bit programs on Win64), use explicit manifest version
> references in the calling EXE/DLLs linked in manifest (don't trust
> the manifest generator in Visual Studio, it tends to get details
> wrong), and put application specific DLLs (including private
> copies of stuff such as SSLEAY32.DLL) in the same directory as the
> referencing EXE/DLL file.
>
> Playing around with the PATH environment variable when installing
> programs is generally considered worst practice due to the risk of
> affecting other programs by inflicting your own DLLs etc. on them.
>
> As a side effect of all this, having a dedicated lib/dll subdir in
> your install dir will generally not work unless you load all those
> DLLs via your own calls to LoadLibrary/LoadLibraryEx with
> explicitly computed full pathnames, thus such a dir is now only
> good for plugins and other on-demand loaded components. With a
> little tweaking it could also be useful for OpenSSL engine plugin
> DLLs.
Thanks much for the info. I’ll work on two options - statically linking the libs and, if that doesn’t work, augmenting our existing app manifest to bind the app to the DLLs.
I’ll let you know what I find.
----
Russ Loucks
mailto: rjl at mnmicro.net
Winter is coming
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160623/d9234136/attachment.html>
More information about the openssl-users
mailing list