Re: Double clicking on MS Office documents from Windows Explorermay execute arbitrary programs in some cases

[Crist Clark <crist.clark () GLOBALSTAR COM>]

"Timothy J. Miller" wrote:
[snip]
> The DLL search order logic is functionally equivalent to having a '.'
> in the $PATH of a UNIX user.  This is known to be bad practice, since
> it allows this kind of shennanigans.
>
> I suggest that this problem, and subsequent problems of this nature,
> can be fixed simply by *not* looking in the current directory for
> required DLLs.

To use your $PATH analogy to emphasize what I see as the most dangerous
(and the part showing the most ill conceived design), this is like putting
'.' in your $PATH _before_ /bin, /usr/bin, and the other standard system
paths.

Checking the current directory is somewhat of a security threat. Checking
the current directory _before_ system directories is a severe threat. Like
most security issues, there is a security-convenience trade. Searching
the PWD at all leans towards convenience, but IMHO, is justifiable. However,
going to the PWD before the system directories is just too risky and I see
little added value.

Of course, the most ideal situation is to have the behavior configurable.
For Win*, a registry entry sepcifying where to look and in what order (with
conservative vendor distributed defaults) would seem the best solution,
but is undoubtably costly to implement.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926