Recently a hoax / misinformation / hype is making its way around the web (or at least the part of the web I see ;)). I’m talking about the article title Internet Explorer 7 – Still Spyware Writers Heaven. While I’m by no means a MS fan and criticized the IE7 team for not making some features available under Win2K3 and WinXP, for which I believe that there is no sound technical explanation (only a marketing one), I must absolutely can’t stand misinformation, even more so when it seems that the author wants to generate hype!
This is exactly the case with this individual. He refers to a very old attack vector when creating a DLL with the same name as one that was loaded by the application resulted in loading the “malicious” DLL. As of WinXP SP2 (which everyone should have installed by now, otherwise your computer won’t last for 10 minutes on the Internet), the search order for DLLs is the following (taken from the official MS page):
- The directory from which the application loaded.
- The system directory.
- The 16-bit system directory.
- The Windows directory.
- The current directory.
- The directories that are listed in the PATH environment variable.
Now lets analyze this list from the point of view of IE. The current security settings on my IE folder (in program files) is the following: Administratos – Full Control, Power Users – Modify and Users – Read and Execute. In other words you can only create files there if you have at least power user privileges, but if malicious code runs at that level you are pretty much screwed anyway as you can do much more damage than that.
Now if you run as a normal user (which you should be!), your only hope is to write to a directory in the path (or alternatively change your path so that it includes a given directory). In this case the DLL would be loaded IF it couldn’t be found in any of the other places. This scenario is only possible if some application uninstalled itself and failed to remove the registry entry for the DLL.
To sum up:
vulnerabilityhas been fixed a couple of years ago (in WinXP SP2)
- If you run your browser with high privileges, you don’t need this method to alter the system. It can be used to
hidefiles, but then again if you have that high privileges you can directly install rootkits.
- If you run with low privileges (as you should), the only attack would only be possible if you uninstalled a program which registered a BHO without referring with the full pathname to it and the uninstaller program deleted the dll, but failed to delete the registry entry. With other words: very, very unlikely.
My advice would be: run with low privileges (as user) and don’t read articles from people who don’t know what they’re talking about.