Full Disclosure mailing list archives
Re: Internet Explorer 7 - Still Spyware Writers' Heaven
From: Thierry Zoller <Thierry () Zoller lu>
Date: Sat, 4 Nov 2006 14:03:32 +0100
Dear list,
therefore Windows will search for this file in the user's machine using the directories provided in the PATH environment
That is a bit simplistic, it will search a lot more then the PATH prior to that. (See list at the bottom)
desktop), and the next time the user will run IE7 the code of the attacker's file will be executed instead of the original DLL file.
According to the list this should not be the case as the PATH statemetn is checked ONLY if every other paths have been already searched for that DLL, (I have seen this too), so either the list offered on the MS site is wrong or ? Hint: USE "Safe DLL Search Order" as offered by Microsoft. Vulnerability of not using "Safe DLL search" as defined by Micrsoft on this page : http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch10n.mspx "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." ---------------------------------------------------------------------------------------- Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended) This entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE. The dynamic-link library (DLL) search order can be configured to search for requested DLLs in one of two ways: If SafeDllSearchMode is configured to 1, the search order is as follows: The directory from which the application loaded. The system directory. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. The Windows directory. The current directory. The directories that are listed in the PATH environment variable. If SafeDllSearchMode is configured to 0, the search order is as follows: The directory from which the application loaded. The current directory. The system directory. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. The Windows directory. The directories that are listed in the PATH environment variable. This is the reason WHY I added the feature call "Enable Safe DLL Search Order" to Secure-it (http://www.sniff-em.com/secureit.shtml) -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Internet Explorer 7 - Still Spyware Writers' Heaven avivra (Nov 01)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Roger A. Grimes (Nov 02)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Eliah Kagan (Nov 03)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Thierry Zoller (Nov 04)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Joshua Gimer (Nov 05)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Eliah Kagan (Nov 04)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Roger A. Grimes (Nov 06)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Eliah Kagan (Nov 03)
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven Roger A. Grimes (Nov 02)