Bugtraq mailing list archives
Re: Double clicking on MS Office documents from Windows Explorermay execute arbitrary programs in some cases
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Tue, 19 Sep 2000 13:18:16 -0700
"Timothy J. Miller" wrote: [snip]
The DLL search order logic is functionally equivalent to having a '.' in the $PATH of a UNIX user. This is known to be bad practice, since it allows this kind of shennanigans. I suggest that this problem, and subsequent problems of this nature, can be fixed simply by *not* looking in the current directory for required DLLs.
To use your $PATH analogy to emphasize what I see as the most dangerous (and the part showing the most ill conceived design), this is like putting '.' in your $PATH _before_ /bin, /usr/bin, and the other standard system paths. Checking the current directory is somewhat of a security threat. Checking the current directory _before_ system directories is a severe threat. Like most security issues, there is a security-convenience trade. Searching the PWD at all leans towards convenience, but IMHO, is justifiable. However, going to the PWD before the system directories is just too risky and I see little added value. Of course, the most ideal situation is to have the behavior configurable. For Win*, a registry entry sepcifying where to look and in what order (with conservative vendor distributed defaults) would seem the best solution, but is undoubtably costly to implement. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
Current thread:
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Microsoft Security Response Center (Sep 18)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Timothy J. Miller (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases John Lange (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorermay execute arbitrary programs in some cases Crist Clark (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Chip Andrews (Sep 20)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Matthew Dharm (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases aleph (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Milan Kopacka (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases van der Kooij, Hugo (Sep 19)
- <Possible follow-ups>
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Todd Ransom (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Francis Favorini (Sep 19)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases John Wiltshire (Sep 20)
- Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases Timothy J. Miller (Sep 19)