[16835] in bugtraq
Re: Double clicking on MS Office documents from Windows Explorer
daemon@ATHENA.MIT.EDU (Timothy J. Miller)
Tue Sep 19 20:27:28 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <87pum09l39.fsf@zoot.kelly.aftd.af.mil>
Date: Tue, 19 Sep 2000 15:35:06 -0500
Reply-To: "Timothy J. Miller" <cerebus@SACKHEADS.ORG>
From: "Timothy J. Miller" <cerebus@SACKHEADS.ORG>
X-To: johnl@clearoption.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: "John Lange"'s message of "Tue, 19 Sep 2000 14:54:24 -0500"
"John Lange" <lists@darkcore.net> writes:
> Changing the search path for DLLs would break a good portion of windows
> apps, especially legacy apps.
Absolutely.
> In my previous life as a windows programmer, often the trick to get some
> older apps working was to find the older version of some DLL that it was
> looking for and put it in the same directory as the application so it would
> load those ones instead of whatever twisted version now exists in the
> windows/system directory.
Been there, done that. Welcome to DLL Hell.
> Thus I think we will be forced to live with this security hole though the OS
> should be patched so that it never loads DLLs across network devices or at
> least obeys the security settings of the machine.
I'm not sure how this would protect anyone. What about systems not
using shares? If I can poison that .ZIP you just nicked, I've still
got you. And there remain plenty of ways I can get an arbitrary file
into a *non-system* area of your disk.
Good policy on UNIX boxen is to *never* use '.' in PATH or
LD_LIBRARY_PATH. This is exactly what Windows is doing.
> Funny that I've known this for a very long time but never thought about
> using it to load trojan DLLs.
I should have as well, but I never did. Oh well. Now the fun begins,
neh?
