Full Disclosure mailing list archives

Defense in depth -- the Microsoft way (part 94): BACKDOOR planted in AppLocker

From: Stefan Kanthak via Fulldisclosure <fulldisclosure () seclists org>
Date: Mon, 22 Sep 2025 16:27:42 +0200

Hi @ll,

since several years Microsoft installs the DLLs domain_actions.dll
and well_known_domains.dll as part of their Edge browser as well as
Windows' WebView component into each and every user profile,
 UNPROTECTED against tampering.

On Windows 11 24H2 their paths are currently
"%LOCALAPPDATA%\Microsoft\Edge\User Data\Domain Actions\3.0.0.16\domain_actions.dll"
"%LOCALAPPDATA%\Microsoft\Edge\User Data\Domain Actions\3.0.0.16\well_known_domains.dll"
"%LOCALAPPDATA%\Microsoft\Windows\SharedWebView\EBWebView\Domain Actions\3.0.0.16\domain_actions.dll"
"%LOCALAPPDATA%\Microsoft\Windows\SharedWebView\EBWebView\Domain Actions\3.0.0.16\well_known_domains.dll"

Security-conscious Windows administrators of course block execution
of DLLs in user-writable locations since more than 24 years via
SAFER alias Software Restriction Policies, AppLocker or WDAC alias
Windows Defender Application Control: see for example
"Using Software Restriction Policies to Protect Against Unauthorized Software"
<https://technet.microsoft.com/en-us/library/cc507878.aspx> or my
own <https://skanthak.hier-im-netz.de/SAFER.html>

The release notes for Edge 135.0.3179.11 (Beta) published 2025-03-13
and the release notes for Edge 135.0.3179.54 (Stable) published
2025-04-03 contain the following tell-tale section:

| Fixes
| * Fixed an issue where AppLocker blocked well-known DLLs such as
|   well_known_domains.dll and domain_actions.dll.

In other words: in March/April 2025 Microsoft planted a BACKDOOR
in AppLocker which allows execution of said DLLs, violating the
principle to block execution everywhere unless explicit allowed via
rule!

Remediation: add EXPLICIT deny rules to your AppLocker configuration!

stay tuned, and far away from UNTRUSTWORTHY crap
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

Defense in depth -- the Microsoft way (part 94): BACKDOOR planted in AppLocker Stefan Kanthak via Fulldisclosure (Sep 22)
- <Possible follow-ups>
- Defense in depth -- the Microsoft way (part 94): BACKDOOR planted in AppLocker Stefan Kanthak via Fulldisclosure (Sep 22)