Hi, with Windows XP (about 12 years ago) Microsoft introduced the so-called "side-by-side" technology to overcome "DLL hell".
With "side-by-side" technology several versions of a DLL can be installed on a system at the same time, for global use by any application; the "side-by-side" store is located in the subdirectory "WinSxS" of the "Windows" directory. Applications, for example "filename.exe", that need to use/load a "side-by-side" DLL have to provide a 'Manifest', either as resource linked into the application or as an external file named "filename.manifest" to let the loader locate the "side-by-side" DLL. Cf. <http://msdn.microsoft.com/library/aa384082.aspx> BUT... Microsoft NEVER purges OUTDATED and/or VULNERABLE DLLs from the "side-by-side" store, and Microsoft does NOT provide a utility to cleanup the mess^H"DLL hell" accumulated in the "side-by-side" store. The result: every application can request via 'Manifest' to load a VULNERABLE version of any DLL present in the "side-by-side" store, effectively circumventing ANY security patches installed for these DLLs. Cf. <http://msdn.microsoft.com/library/aa375141.aspx>. If you think now: but there is a publisher configuration (cf. <http://msdn.microsoft.com/library/aa375680.aspx>) that redirects old versions to the patched version: the publisher configuration is overridden by a per-application configuration, cf. <http://msdn.microsoft.com/library/ee710783.aspx> and <http://msdn.microsoft.com/library/aa375667.aspx> Common candidates to tinker with on Windows XP and 2003 are (see Start->Run CMD.EXE /K dir /S /B %SystemRoot%\WinSxS\*.DLL): - WINHTTP.DLL (installed 3 times on a fully patched 2003) - COMCTL32.DLL (installed 3 times on a fully patched XP, and 4 times on a fully patched 2003) - GDIPLUS.DLL (installed 4 times on a fully patched XP, and 3 times on a fully patched 2003) - MSVCRT.DLL & MSVCIRT.DLL - MSVC?80.DLL - MSVC?90.DLL - MFC*.DLL - ATL*.DLL - VCOMP*.DLL Cf. <http://msdn.microsoft.com/library/ms235624.aspx> For Windows Vista and later: run the command given above and see yourself! stay tuned Stefan Kanthak PS: if you find any of these "side-by-side" DLLs in %ProgramFiles%, %ProgramFiles(x86)% or other locations: ask the developers/vendors who installed them there to take a REALLY THOROUGH look at <http://support.microsoft.com/kb/835322>! And don't forget to file bug reports against any product that installed OUTDATED and/or VULNERABLE DLLs! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/