Bugtraq mailing list archives
Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
From: "Timothy J. Miller" <cerebus () SACKHEADS ORG>
Date: Mon, 18 Sep 2000 15:56:03 -0500
Microsoft Security Response Center <secure () MICROSOFT COM> writes:
We considered two cases. In the first one, a malicious user would seek to persuade a user to download a malicious version of riched20.dll or msi.dll onto the user's machine, in the same directory as an Office document. The malicious user would then persuade the user to open the Office document. In the end, this case turns out to be simply a case of persuading the user to download and run untrusted code -- and if the malicious user can do this, there are far easier ways to accomplish the same goal.
It strikes me that the subverted DLL need only be present in a directory containing openable objects. At that point, *any* object opened via the shell (rather than loaded into a running program) that utilizes the "overloaded" DLL will execute the malicious code contained therein. While the problem of delivering the subverted DLL is still open, this is not the same as delivering and persuading the user to open a trojaned document. The user is opening *his* documents, known to be clean. It is the system that has been subverted-- without violating any access privileges, I might add. The trojan DLL can, of course, be delivered in multiple ways-- adding it to a ZIP file, for instance, or placing in a public share where openable objects reside. The mind boggles. The DLL search order logic is functionally equivalent to having a '.' in the $PATH of a UNIX user. This is known to be bad practice, since it allows this kind of shennanigans. I suggest that this problem, and subsequent problems of this nature, can be fixed simply by *not* looking in the current directory for required DLLs. -- Cerebus
Current thread:
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Microsoft Security Response Center (Sep 18)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Timothy J. Miller (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases John Lange (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorermay execute arbitrary programs in some cases Crist Clark (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Chip Andrews (Sep 20)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Matthew Dharm (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases aleph (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Milan Kopacka (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases van der Kooij, Hugo (Sep 19)
- <Possible follow-ups>
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Todd Ransom (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Francis Favorini (Sep 19)
(Thread continues...)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Timothy J. Miller (Sep 19)