lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <096A04F511B7FD4995AE55F13824B83319836E@banneretcs1.local.banneretcs.com>
Date: Thu, 2 Nov 2006 16:45:33 -0500
From: "Roger A. Grimes" <roger@...neretcs.com>
To: "avivra" <avivra@...il.com>, <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Subject: Re: Internet Explorer 7 - Still Spyware Writers'
	Heaven

While this is a concern, it isn't a big one. 

The PATH environment variable doesn't include the user's desktop by
default. There is a close tie-in between Explorer.exe and Iexplore.exe
involving the desktop, and there are tricks you can play to get desktop
items to execute instead of IE stuff, but the PATH statement itself
doesn't include the desktop by default.

So, if you're statement is accurate that malware would need to be placed
in a directory identified by the PATH statement, we can relax because
that would require Administrator access to pull off. Admin access would
be needed to modify the PATH statement appropriately to include the
user's desktop or some other new user writable location or Admin access
would be needed to copy a file into the locations indicated by the
default PATH statement.

Also, the Spyware still needs yet another initial exploit (or social
engineering attack) to copy up and place the malicious dll. And if the
exploit requires another exploit and admin access to be successful, why
stop there? Anything can be accomplished.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes@...oworld.com or roger@...neretcs.com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************



-----Original Message-----
From: avivra [mailto:avivra@...il.com] 
Sent: Wednesday, November 01, 2006 5:07 PM
To: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: Internet Explorer 7 - Still Spyware Writers' Heaven

The new version of Internet Explorer is vulnerable to a DLL-load
hijacking. When IE7 is executed it will load several DLL files. While
trying to load some of those files, it does not provide the full path of
the DLL file to the function which loads the DLL file to the memory, and
therefore Windows will search for this file in the user's machine using
the directories provided in the PATH environment variable, and will load
the first match it will found.

Today, most desktop security products include a generic detection for
changes in the startup folder and startup registry keys, in order to
catch malicious code trying to load when the users boot his machine.

Now, all the spyware/virus writer has to do to bypass this detection is
to put a malicious DLL file (or just a downloader DLL of a malicious
file) in one of the PATH directories (e.g. the user's desktop), and the
next time the user will run IE7 the code of the attacker's file will be
executed instead of the original DLL file.

As Microsoft intends to fix this issue only in future releases of their
OS (according to their response), I encourage security vendors to update
their products to detect this behavior, as soon as possible.

More info:
http://aviv.raffon.net/2006/11/01/InternetExplorer7StillSpywareWritersHe
aven.aspx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ