On Mon, Feb 20, 2012 at 2:28 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > Hi Mitja, > > On Fri, Feb 17, 2012 at 11:32 AM, ACROS Security Lists <li...@acros.si> wrote: >> >> This blog post reveals a bit of our research and provides an advance >> notification of >> a largely unknown remote exploit technique on Windows. More importantly, it >> provides >> instructions for protecting your computers from this technique while waiting >> for the >> affected software to correct its behavior. >> >> http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html > > $ Look for the presence of any *.dll files in the Downloads > $ folder and do the same as in the previous step. > $ Delete all files from the Downloads folder. > I don't believe a PE/PE+ executable needs a DLL extension to be loaded > by LoadLibrary and friends. >
They do not need a specific extension for LoadLibrary() to work. This is more having to do with dll search paths which has been a known exploit vector for a long while now. I do know Win7 fixes this by just not checking the local directories when it loads a .exe, I am unsure if Vista does the same, and I am positive WinXP checks local directories first since I've done so under WinXP. They might have something interesting with the msiexec.exe with it checking the local directory first. I would call this a programming issue by the installer not specifying a full path and no validations. If a dev was really concerned when they called LoadLibrary() they could just use SetDllDirectory(), GetDllDirectory(), and friends to manipulate where they look for dlls. Since I responded to something in this subject, I would like to share my personal opinion this doesn't really seem like a major exploit vector. It appears to fall to usual do and do not of basic security. Obviously downloading files from a suspect website is a security risk. > Perhaps a scanning/cleansing tool would be helpful. > > Jeff > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
