lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <8beca820611011407q3787ff52o4f5bc06cd8103ae0@mail.gmail.com>
Date: Thu, 2 Nov 2006 00:07:28 +0200
From: avivra <avivra@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Internet Explorer 7 - Still Spyware Writers'
	Heaven

The new version of Internet Explorer is vulnerable to a DLL-load
hijacking. When IE7 is executed it will load several DLL files. While
trying to load some of those files, it does not provide the full path
of the DLL file to the function which loads the DLL file to the
memory, and therefore Windows will search for this file in the user's
machine using the directories provided in the PATH environment
variable, and will load the first match it will found.

Today, most desktop security products include a generic detection for
changes in the startup folder and startup registry keys, in order to
catch malicious code trying to load when the users boot his machine.

Now, all the spyware/virus writer has to do to bypass this detection
is to put a malicious DLL file (or just a downloader DLL of a
malicious file) in one of the PATH directories (e.g. the user's
desktop), and the next time the user will run IE7 the code of the
attacker's file will be executed instead of the original DLL file.

As Microsoft intends to fix this issue only in future releases of
their OS (according to their response), I encourage security vendors
to update their products to detect this behavior, as soon as possible.

More info: http://aviv.raffon.net/2006/11/01/InternetExplorer7StillSpywareWritersHeaven.aspx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ