In association with heise online

10 September 2010, 13:41

DLL hole now affects EXE files

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft Logo It turns out that the DLL vulnerability (Binary Planting) under Windows was only the tip of the iceberg. DLL libraries aren't the only things that are seem to be vulnerable; EXE files also appear to be affected and the DLL workarounds proposed by Microsoft do not help.

In a security advisory for the recently updated Safari browser, security service provider ACROS explains the problem. Attackers first save an HTML file and a manipulated file called explorer.exe on a drive. When the victim opens the HTML file with Safari, nothing happens initially, but the file does contain a link to a URI that starts with "file://", which causes Windows to try to start Windows Explorer (explorer.exe). Unfortunately, Windows loads the explorer.exe within the containing folder (the network share) and executes it.

ACROS says that the workarounds proposed for the DLL vulnerability do not work here. CWDIllegalInDllSearch-Hotfix prevents code from being loaded from the current containing folder for DLLs, but does not work for EXE files. The same also holds true for the SetDLL directory function. Because there is no comparable function for EXE files, ACROS says it would only help if the application puts the containing folder at the end of the search path before additional processes are launched. It also makes a difference whether a process is launched with ShellExecute or CreateProcess . For further details, see ACROS' Binary Planting Goes "EXE".

ACROS has also published an Online Binary Planting Exposure test on its site. At the moment, the only way to prevent remote attacks seems to be by disabling WebDAV clients (under Services).


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit