Dear list, >therefore Windows will search for this file in the user's >machine using the directories provided in the PATH environment That is a bit simplistic, it will search a lot more then the PATH prior to that. (See list at the bottom) >desktop), and the next time the user will run IE7 the code of the >attacker's file will be executed instead of the original DLL file. According to the list this should not be the case as the PATH statemetn is checked ONLY if every other paths have been already searched for that DLL, (I have seen this too), so either the list offered on the MS site is wrong or ? Hint: USE "Safe DLL Search Order" as offered by Microsoft. Vulnerability of not using "Safe DLL search" as defined by Micrsoft on this page : http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch10n.mspx "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." ---------------------------------------------------------------------------------------- Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended) This entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE. The dynamic-link library (DLL) search order can be configured to search for requested DLLs in one of two ways: If SafeDllSearchMode is configured to 1, the search order is as follows: ? The directory from which the application loaded. ? The system directory. ? The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. ? The Windows directory. ? The current directory. ? The directories that are listed in the PATH environment variable. If SafeDllSearchMode is configured to 0, the search order is as follows: ? The directory from which the application loaded. ? The current directory. ? The system directory. ? The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. ? The Windows directory. ? The directories that are listed in the PATH environment variable. This is the reason WHY I added the feature call "Enable Safe DLL Search Order" to Secure-it (http://www.sniff-em.com/secureit.shtml) -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
