Re: Internet Explorer 7 - Still Spyware Writers' Heaven

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Internet Explorer 7 - Still Spyware Writers' Heaven
From: "Eliah Kagan" <degeneracypressure@xxxxxxxxx>
Date: Sat, 4 Nov 2006 16:33:17 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LCzcLpPxILSTxyi5escF1hUDsF5cWOsrf4ZmopOIPUauzN1HEWmibrxQxKstflra6rqV5eX1Qc9LMgAQ0BOxfRBEWuym46SDAg3CuMN+qVs/3MvLK/kI7UNf3Tj3Pa2nYpIxCM1gaL84WKV+OJQ2k54n5B/+nyBsHnFdLTgzsrc=
In-reply-to: <cf939bff0611041215u28faffd5j211562633f7a9b3d@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <8beca820611011407q3787ff52o4f5bc06cd8103ae0@xxxxxxxxxxxxxx> <096A04F511B7FD4995AE55F13824B83319836E@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <3da3d8310611031825m28b39c62p613a8545a5a4cff6@xxxxxxxxxxxxxx> <cf939bff0611041215u28faffd5j211562633f7a9b3d@xxxxxxxxxxxxxx>

On 11/4/06, Joshua Gimer wrote:

If Microsoft is not planning on providing a fix for this until Vista, I can
see a worm coming from this.


It's highly unlikely that this would be useful to the spreading of a
worm. Worms infect computers over a network, relying either on
remotely exploitable vulnerabilities that require no user interaction,
or on vulnerabilities that require user interaction where it is easy
to produce the necessary user action. Getting a malicious file into a
user's path (or the system path) is nontrivial, and generally requires
that something else be going on.

Forgive me if I don't know how this works in
the windows world, but when it is looking for this DLL, does it take the
first one that it finds within your path; like in UNIX? Or does it look in
all directories within your path and then decide? I am guessing the former,
but I am just clarifying.


It is the former--for libraries (DLLs) or executables (.exe, .com,
.bat, .cmd, and so forth) the one that gets linked to or executed when
the path is searched is the one that is in the earliest directory in
the path (or the one that is in the working directory--unlike in *nix
systems, in Windows the current directory--typically the directory
that the calling program is located in--is searched first, before the
path is consulted; you may see similar behavior in some *nix systems,
but in such cases you will find that in actuality the directory "." is
in the path).

-Eliah

References:
- Internet Explorer 7 - Still Spyware Writers' Heaven
  - From: avivra
- RE: Internet Explorer 7 - Still Spyware Writers' Heaven
  - From: Roger A. Grimes
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven
  - From: Eliah Kagan

Prev by Date: MajorSecurity Advisory #32]phpComasy CMS - Multiple Cross Site Scripting Issues
Next by Date: Ariadne <= 2.4.1 Multiple Remote File Include Vulnerabilities(New)
Previous by thread: Re: Internet Explorer 7 - Still Spyware Writers' Heaven
Next by thread: RE: Internet Explorer 7 - Still Spyware Writers' Heaven
Index(es):
- Date
- Thread