September 21st, 2010
Closed (solved in version 11.1.0)
Affected Software and Components
Snagit 10 & 11
TechSmith is aware that research has been published dealing with "DLL preloading" vulnerabilities in Snagit as well as many other products from other vendors.
The vulnerability requires that an attacker convince the victim to open a file using Snagit (.SNAG, .SNAGPROF, .SNAGACC files) from a remote attacker-controlled network location such as an SMB or WebDAV share. When the vulnerable application launches and opens the file, the application will load the attacker-provided Dynamic Link Library (DLL) from the same network location as the file which may lead to arbitrary code execution at the same privilege level as the user.
This has been solved in Snagit 11.1.0
Workarounds or Mitigations
If you are unable to update to Snagit 11.1.0 Microsoft has provided a FixIt tool that can be used to prevent applications from loading DLLs from WebDAV and SMB locations. This workaround is described in the Microsoft Knowledge Base article titled "A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm".
Administrators can also protect their Camtasia Studio and Snagit users by adding perimeter firewall users to prevent systems from making outbound SMB or WebDAV connections, as described in the Microsoft Security Research & Defense Blog More information about the DLL Preloading remote attack vector post.