[German]Malwarebytes has released the Windows tool AdwCleaner 8.0.6. This update fixes a DLL hijacking vulnerability in AdwCleaner 8.0.5 that I reported to the developers.
A never ending story of the AdwCleaner
My blog post AdwCleaner 8.0.1 closes a DLL Hijacking vulnerability from December 2019 dealt with a DLL hijacking vulnerability in this tool. There you can also find hints about what the AdwCleaner does. I reported the vulnerability to Malwarebytes and have been in contact with one of the developers since then. They are willing and able to fix this vulnerability in the free AdwCleaner.
Unfortunately the DLL hijacking vulnerability in AdwCleaner 8.0.3 was back again. I mentioned this in the blog post AdwCleaner 8.0.4 closes again a DLL Hijacking vulnerability.
Again a DLL hijacking vulnerability in AdwCleaner 8.0.5
A few weeks ago I accidentally came across a link on one of the US sites (I don’t know if it was Bleeping Computer, Neowin or MS Power User) that offered AdwCleaner 8.0.5. So I downloaded this version and ran it over my testbed. AdwCleaner does not need to be installed, but requires administrative permissions at startup. The user will grant these, because he wants to clean his system from junkware.
When I started the program, I was informed via the above dialog box that version 8.0.5 of AdwCleaner was vulnerable to DLL hijacking. This means that all DLL files reloaded by the AdwCleaner are also executed as a process with administrative privileges. If a malware knows that a tool has a DLL hijacking vulnerability for certain DLLs, it only needs to place a file with the same name in the folder containing the application. For AdwCleaner, this is most likely the Downloads folder. This DLL is then loaded instead of the Windows DLL (hijacking).
The testbed is provided by Stefan Kanthak, who deals with such security issues. You can download the file Forward.cab from his website and unzip it into a folder. There is also a Sentinel.exe which also moves into this folder.
If a virus scanner jumps on when visiting the Kanthak website: It delivers the Eicar test virus in a data block attribute on its website to test whether browsers evaluate it and load it into memory for execution. A virus scanner should then be activated.
The developer fixes immediately
Since I have already been in contact with the developer at Malwarebytes twice because of the same problem, and the problem has been fixed again and again, I sent him an email. There I clearly checked why all second versions of AdwCleaner come with DLL hijacking vulnerability. The developer promised to take care and make sure that this bug does not recur in new builds. Well, the developer also promised to inform me when AdwCleaner 8.0.6 is available – I am still waiting for the mail till today.
Addendum: My blogging colleague Lawrence Abrams just described at Bleeping Computer that AdwCleaner 8.0.6 now can remove malware from the command line.
Yesterday evening the idea came to me to just check if this version has already been released and run a test. The AdwCleaner 8.0.6 is currently available for free download on this Malwarebytes website. A test showed that the DLL hijacking vulnerability has been fixed once again.
According to this forum entry, AdwCleaner 8.0.6 must have been published on the evening of 1 July 2020. So the whole thing is still fresh. If you use the tool, you should get the latest version 8.0.6. By the way, the forum entry describes what has changed in the new version of the tool.