Full Disclosure mailing list archives
Re: Internet Explorer 7 - Still Spyware Writers' Heaven
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 2 Nov 2006 16:45:33 -0500
While this is a concern, it isn't a big one. The PATH environment variable doesn't include the user's desktop by default. There is a close tie-in between Explorer.exe and Iexplore.exe involving the desktop, and there are tricks you can play to get desktop items to execute instead of IE stuff, but the PATH statement itself doesn't include the desktop by default. So, if you're statement is accurate that malware would need to be placed in a directory identified by the PATH statement, we can relax because that would require Administrator access to pull off. Admin access would be needed to modify the PATH statement appropriately to include the user's desktop or some other new user writable location or Admin access would be needed to copy a file into the locations indicated by the default PATH statement. Also, the Spyware still needs yet another initial exploit (or social engineering attack) to copy up and place the malicious dll. And if the exploit requires another exploit and admin access to be successful, why stop there? Anything can be accomplished. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: avivra [mailto:avivra () gmail com] Sent: Wednesday, November 01, 2006 5:07 PM To: full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: Internet Explorer 7 - Still Spyware Writers' Heaven The new version of Internet Explorer is vulnerable to a DLL-load hijacking. When IE7 is executed it will load several DLL files. While trying to load some of those files, it does not provide the full path of the DLL file to the function which loads the DLL file to the memory, and therefore Windows will search for this file in the user's machine using the directories provided in the PATH environment variable, and will load the first match it will found. Today, most desktop security products include a generic detection for changes in the startup folder and startup registry keys, in order to catch malicious code trying to load when the users boot his machine. Now, all the spyware/virus writer has to do to bypass this detection is to put a malicious DLL file (or just a downloader DLL of a malicious file) in one of the PATH directories (e.g. the user's desktop), and the next time the user will run IE7 the code of the attacker's file will be executed instead of the original DLL file. As Microsoft intends to fix this issue only in future releases of their OS (according to their response), I encourage security vendors to update their products to detect this behavior, as soon as possible. More info: http://aviv.raffon.net/2006/11/01/InternetExplorer7StillSpywareWritersHe aven.aspx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Internet Explorer 7 - Still Spyware Writers' Heaven avivra (Nov 01)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Roger A. Grimes (Nov 02)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Eliah Kagan (Nov 03)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Thierry Zoller (Nov 04)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Joshua Gimer (Nov 05)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Eliah Kagan (Nov 04)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Roger A. Grimes (Nov 06)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Eliah Kagan (Nov 03)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Roger A. Grimes (Nov 02)