| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 Nov 2006 00:07:28 +0200 From: avivra <avivra@...il.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Internet Explorer 7 - Still Spyware Writers' Heaven The new version of Internet Explorer is vulnerable to a DLL-load hijacking. When IE7 is executed it will load several DLL files. While trying to load some of those files, it does not provide the full path of the DLL file to the function which loads the DLL file to the memory, and therefore Windows will search for this file in the user's machine using the directories provided in the PATH environment variable, and will load the first match it will found. Today, most desktop security products include a generic detection for changes in the startup folder and startup registry keys, in order to catch malicious code trying to load when the users boot his machine. Now, all the spyware/virus writer has to do to bypass this detection is to put a malicious DLL file (or just a downloader DLL of a malicious file) in one of the PATH directories (e.g. the user's desktop), and the next time the user will run IE7 the code of the attacker's file will be executed instead of the original DLL file. As Microsoft intends to fix this issue only in future releases of their OS (according to their response), I encourage security vendors to update their products to detect this behavior, as soon as possible. More info: http://aviv.raffon.net/2006/11/01/InternetExplorer7StillSpywareWritersHeaven.aspx
Powered by blists - more mailing lists