Back to Top

Friday, November 03, 2006

Talking out of your head (as opposed to an other body part)

Recently a hoax / misinformation / hype is making its way around the web (or at least the part of the web I see ;)). I'm talking about the article title Internet Explorer 7 - Still Spyware Writers Heaven. While I'm by no means a MS fan and criticized the IE7 team for not making some features available under Win2K3 and WinXP, for which I believe that there is no sound technical explanation (only a marketing one), I must absolutely can't stand misinformation, even more so when it seems that the author wants to generate hype!

This is exactly the case with this individual. He refers to a very old attack vector when creating a DLL with the same name as one that was loaded by the application resulted in loading the "malicious" DLL. As of WinXP SP2 (which everyone should have installed by now, otherwise your computer won't last for 10 minutes on the Internet), the search order for DLLs is the following (taken from the official MS page):

  1. The directory from which the application loaded.
  2. The system directory.
  3. The 16-bit system directory.
  4. The Windows directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable.

Now lets analyze this list from the point of view of IE. The current security settings on my IE folder (in program files) is the following: Administratos - Full Control, Power Users - Modify and Users - Read and Execute. In other words you can only create files there if you have at least power user privileges, but if malicious code runs at that level you are pretty much screwed anyway as you can do much more damage than that.

Now if you run as a normal user (which you should be!), your only hope is to write to a directory in the path (or alternatively change your path so that it includes a given directory). In this case the DLL would be loaded IF it couldn't be found in any of the other places. This scenario is only possible if some application uninstalled itself and failed to remove the registry entry for the DLL.

To sum up:

  • This vulnerability has been fixed a couple of years ago (in WinXP SP2)
  • If you run your browser with high privileges, you don't need this method to alter the system. It can be used to hide files, but then again if you have that high privileges you can directly install rootkits.
  • If you run with low privileges (as you should), the only attack would only be possible if you uninstalled a program which registered a BHO without referring with the full pathname to it and the uninstaller program deleted the dll, but failed to delete the registry entry. With other words: very, very unlikely.

My advice would be: run with low privileges (as user) and don't read articles from people who don't know what they're talking about.

5 comments:

  1. SpannerITWks5:00 PM

    Hi, either Aviv Raff is correct, or he isn't, and it sure looks like he is. So where's the hoax/ misinformation/hype that you talked about ? There isn't Any !

    Give the guy some credit for alerting people who didn't know about it, maybe you did, but that's not everybody is it !

    You might be surprised to learn that lots of people CHOOSE to run in Admin, and some didn't rush out and install SP2 either. Also some of us don't need/want XP, never mind Vista.

    I've been very happily and securely running IE6 98SE PC's online for hours daily for over 5 years, with NO infections whatsoever.

    So your statement " otherwise your computer won't last for 10 minutes on the Internet " could be classed in the same context as the things you called Aviv Raff !

    I enjoyed your Cookie article, which by the way had a grammar error in it " It is your right to drive a ( care ) " No big deal though ! Havn't had time to read anymore as of yet.

    Regards,

    Spanner

    SpannerITWks

    ReplyDelete
  2. First of all I'm happy that you like (at least some ;)) of my writings. Thank you for pointing out the mistake I've made, I corrected it.

    Now on for the reasons I was upset and wrote this article. My problem was (to speak metaphorically) that he was yelling fire when he saw an oven (which is a place where it is ok to see fire). More concretely: to "exploit" this "security hole" you have to be Administrator on the computer.

    This isn't even an exploit. It is a well defined and documented behavior. This is like saying: if I have the Administrator password and console access, I can own the system! Good for you buddy.

    The second problem that I had was the fact that he was trying to sell it like a problem with IE7 to generate hype for himself. The reality is: (a) this is not a problem and (b) this is a well defined behavior which is applicable to every software running under Windows (including Firefox, Opera, Word, IE6, ...).

    I would also like to see the response he got from MS (quote from his posing: "As Microsoft intends to fix this issue only in future releases of their OS (according to their response)"), because I'm sure that it went along the same lines (although probably much more politely ;)) as my post.

    And lastly about running as Admin and using Win98SE: I'm not sure how many people choose to run as admin, since the default windows setup makes them admin (so probably it's a matter of not knowing that other possibilities exists). Since I discovered that I can run as user and do 99.99% of my work without a problem I never looked back. It's like driving a car without your seatbelt on: sure, you can drive slowly, but isn't it better to know that you have an extra layer of security and you don't have to concentrate and think every second: "am I sure I want to do this? what are the consequences? do I trust this file? probably I should check it at virustotal.com". I'm not advocating for recklessness here, but isn't it good to know that if you do make a mistake, it's not the end of the world (i.e. your computer)?

    As for running Win98SE: I could not sleep well at night knowing that I run an OS for which there are at least two exploits (the WMF and the VML problem) which are easily exploitable (I don't know if you read, but many pages on MySpace contained WMF exploits at a given time) and no official vendor patch is or will be available.

    ReplyDelete
  3. SpannerITWks4:03 AM

    Hi,

    Re AR -

    I see your points, but i think he has some too !

    Re WMF -

    Which particular WMF and VML vulnerabilities were you referring to ?

    When all the WMF fiasco was occurring nearly a year ago, i and others did extensive testing here - www.dslreports.com/forum/remark,15115819 - The conclusion, 98SE was/is not vulnerable !

    More about it in these -

    www.dslreports.com/forum/remark,15213035

    www.dslreports.com/forum/remark,15294250

    WMF Vulnerability patch for win98 etc., REALTIME LOG
    www.velocityreviews.com/forums/t307421-wmf-vulnerability-patch-for-win98-etc-realtime-log.html

    Re VML -

    MSIE Zero-Day VML Exploit
    www.counterpane.com/exploit-MSIE_Zero-Day_VML.html

    MSIE Zero-Day exploit in use on the Web
    www.dslreports.com/forum/remark,16955136

    VML issues
    www.dslreports.com/forum/remark,16983169

    Eric Sites of Sunbelt on the VML exploit
    www.dslreports.com/forum/remark,16951948

    I have renamed Vgx.dll which circumvents that vulnerability. Plus i permanantly disabled Iframes along with other hazards like ActiveX etc a very long time ago. I also have Active Scripting set to disabled for 99% of the time, the 1% is enabled only as and when required.

    As for, extra layers of security, i have a number of excellent products, set up correctly, and mostly Free, which are on constant alert to intervene should anything untoward happen. They have Proved their worth many times during testing Malware etc. These are complimented by me setting up IE6 and 98SE in a very secure way initially.

    I fully appreciate that not everybody may try to be as vigilant as i do, so i understand your genuine concerns for those that might not !

    -

    Bit of a Freudien slip i think you made when you said, " quote from his ( posing: ) " Should that be Posting lol ?

    Regards,

    Spanner

    SpannerITWks

    ReplyDelete
  4. I see your points, but this is exactly what I've said: it takes you an extra effort to be secure compared to the situation when you run in a fully patched WinXP with low privileges and also you have a less rich user experience because of it (I know that it's tolerable, but still you have to give up some user interface features if you disable Javascript).

    This is kind of a whitelist vs blacklist approach: you do a blacklist approach while my suggestion is to use a whitelist approach. My opinion is that in case we make a mistake - launch a dubious program for example - (and everybody does :)) using a whitelist approach is safer.

    About the Freudian slip: it may be :). It also shows that event with the new FF 2.0 spellchecker you can make mistakes :).

    Btw: I'm very happy that you feel so pasionate about your opinions and hope that you can provide your opinion (both good an bad) about my other postings too. Also if you are interested in a given security topic, let me know and if I know enough about it I make a posting.

    ReplyDelete
  5. SpannerITWks10:29 AM

    I didn't realise your 1st language wasn't English, so i appologise for not taking it into consideration beforehand !

    I do have some ideas/questions about a topic, which i'll post in the Cookies thread. If you feel it deserves/needs to have it's own thread, then by all means feel free to move it, might be best anyway.

    Regards,

    Spanner

    SpannerITWks

    ReplyDelete