[German]Malwarebytes has released the Windows tool AdwCleaner 8.0.6. This update fixes a DLL hijacking vulnerability in AdwCleaner 8.0.5 that I reported to the developers.
Advertising
A never ending story of the AdwCleaner
My blog post AdwCleaner 8.0.1 closes a DLL Hijacking vulnerability from December 2019 dealt with a DLL hijacking vulnerability in this tool. There you can also find hints about what the AdwCleaner does. I reported the vulnerability to Malwarebytes and have been in contact with one of the developers since then. They are willing and able to fix this vulnerability in the free AdwCleaner.
Unfortunately the DLL hijacking vulnerability in AdwCleaner 8.0.3 was back again. I mentioned this in the blog post AdwCleaner 8.0.4 closes again a DLL Hijacking vulnerability.
Again a DLL hijacking vulnerability in AdwCleaner 8.0.5
A few weeks ago I accidentally came across a link on one of the US sites (I don't know if it was Bleeping Computer, Neowin or MS Power User) that offered AdwCleaner 8.0.5. So I downloaded this version and ran it over my testbed. AdwCleaner does not need to be installed, but requires administrative permissions at startup. The user will grant these, because he wants to clean his system from junkware.
Advertising
When I started the program, I was informed via the above dialog box that version 8.0.5 of AdwCleaner was vulnerable to DLL hijacking. This means that all DLL files reloaded by the AdwCleaner are also executed as a process with administrative privileges. If a malware knows that a tool has a DLL hijacking vulnerability for certain DLLs, it only needs to place a file with the same name in the folder containing the application. For AdwCleaner, this is most likely the Downloads folder. This DLL is then loaded instead of the Windows DLL (hijacking).
The testbed is provided by Stefan Kanthak, who deals with such security issues. You can download the file Forward.cab from his website and unzip it into a folder. There is also a Sentinel.exe which also moves into this folder.
If a virus scanner jumps on when visiting the Kanthak website: It delivers the Eicar test virus in a data block attribute on its website to test whether browsers evaluate it and load it into memory for execution. A virus scanner should then be activated.
The developer fixes immediately
Since I have already been in contact with the developer at Malwarebytes twice because of the same problem, and the problem has been fixed again and again, I sent him an email. There I clearly checked why all second versions of AdwCleaner come with DLL hijacking vulnerability. The developer promised to take care and make sure that this bug does not recur in new builds. Well, the developer also promised to inform me when AdwCleaner 8.0.6 is available – I am still waiting for the mail till today.
Addendum: My blogging colleague Lawrence Abrams just described at Bleeping Computer that AdwCleaner 8.0.6 now can remove malware from the command line.
Yesterday evening the idea came to me to just check if this version has already been released and run a test. The AdwCleaner 8.0.6 is currently available for free download on this Malwarebytes website. A test showed that the DLL hijacking vulnerability has been fixed once again.
According to this forum entry, AdwCleaner 8.0.6 must have been published on the evening of 1 July 2020. So the whole thing is still fresh. If you use the tool, you should get the latest version 8.0.6. By the way, the forum entry describes what has changed in the new version of the tool.
Similar articles:
Malwarebytes AdwCleaner 8.0, a 2nd view
AdwCleaner 8.0.1 closes a DLL Hijacking vulnerability
AdwCleaner 8.0.4 closes again a DLL Hijacking vulnerability
Advertising
Many thanks for your approval of Malwarebytes ADWcleaner v8.0.6 for all netizens.
Although, one thing troubles me, why didn't Malwarebytes inform you of the release, it's surely common courtesy and respect in gratitude of your discovery?
Do we now need a Malwarebytes ADWcleaner checking utility?
Maybe Jerome has forgotten that or haven't the time. If his promise, that that he has assured, that the developing process never miss a DLL hijacking test, becomes true, we are on the right side. They are willing – I've contacted many other tool developers and didn't receive an answer at all …
I use 'always on' ASLR in Windows 8.1 and 10 (thanks to this website making me aware of the default ASLR deficiencies). Unfortunately this results in AdAware 8 not being able to run. It starts but immediately stops and vanishes. AdAware 7 has no such problems. Neither does AdAware 8 when run under Windows 7 with ASLR 'always on' (it is necessary to use EMET 5.52 to enable 'always on' ASLR in Windows 7).
I have pointed this issue out to Malwarebytes but it seems to be very difficult to resolve.
Always On ASLR is more valuable than AdAware.
24th July 2020:
I now see that AdwCleaner 8.0.7 has been released, perhaps time for an approval/ revisit?