I've been on vacation and then spent time catching up at work, so it's been a couple of weeks since I've been posted regularly. I'm trying to catch up now, so here goes ...
This is an interesting post from CERT . What's most interesting about it is that it's a desktop version of an old web vulnerability where an attacker uploads a code file into an improperly secured directory and then executes it remotely. I'm sure nobody is writing web code like that any longer (right?), but the execution directory thing is apparently still a problem (though Vista fixes it as the source notes).
From the Cert Vulnerability Analysis Blog:
Hey, it's Will. Earlier this year, details about "carpet bombing" attacks were released. Apple addressed the issue by prompting users before downloading files, but recent news indicates that Google Chrome, which is based on Apple's WebKit code, is also vulnerable to the same type of attack. However, some people seem to be missing an aspect of the attack that affects all web browsers.
When loading a DLL, Microsoft Windows looks for the DLL in a certain sequence of directories. The first match for the file name wins. In most cases, Windows will first look for a DLL in the same location as the executable. This behavior is what allows the Apple Safari "carpet bombing" vulnerability to work. If an attacker can place code in a directory that gets searched before Windows finds the "real" DLL, the attacker's code will be executed. [From Vulnerability Analysis Blog: Carpet Bombing and Directory Poisoning]
Comments