<<< Date Index >>>     <<< Thread Index >>>

RE: Internet Explorer 7 - Still Spyware Writers' Heaven



While this is a concern, it isn't a big one. 

The PATH environment variable doesn't include the user's desktop by
default. There is a close tie-in between Explorer.exe and Iexplore.exe
involving the desktop, and there are tricks you can play to get desktop
items to execute instead of IE stuff, but the PATH statement itself
doesn't include the desktop by default.

So, if you're statement is accurate that malware would need to be placed
in a directory identified by the PATH statement, we can relax because
that would require Administrator access to pull off. Admin access would
be needed to modify the PATH statement appropriately to include the
user's desktop or some other new user writable location or Admin access
would be needed to copy a file into the locations indicated by the
default PATH statement.

Also, the Spyware still needs yet another initial exploit (or social
engineering attack) to copy up and place the malicious dll. And if the
exploit requires another exploit and admin access to be successful, why
stop there? Anything can be accomplished.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************



-----Original Message-----
From: avivra [mailto:avivra@xxxxxxxxx] 
Sent: Wednesday, November 01, 2006 5:07 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
Subject: Internet Explorer 7 - Still Spyware Writers' Heaven

The new version of Internet Explorer is vulnerable to a DLL-load
hijacking. When IE7 is executed it will load several DLL files. While
trying to load some of those files, it does not provide the full path of
the DLL file to the function which loads the DLL file to the memory, and
therefore Windows will search for this file in the user's machine using
the directories provided in the PATH environment variable, and will load
the first match it will found.

Today, most desktop security products include a generic detection for
changes in the startup folder and startup registry keys, in order to
catch malicious code trying to load when the users boot his machine.

Now, all the spyware/virus writer has to do to bypass this detection is
to put a malicious DLL file (or just a downloader DLL of a malicious
file) in one of the PATH directories (e.g. the user's desktop), and the
next time the user will run IE7 the code of the attacker's file will be
executed instead of the original DLL file.

As Microsoft intends to fix this issue only in future releases of their
OS (according to their response), I encourage security vendors to update
their products to detect this behavior, as soon as possible.

More info:
http://aviv.raffon.net/2006/11/01/InternetExplorer7StillSpywareWritersHe
aven.aspx