If at first you don't succeed; call it version 1.0
Saturday, December 23, 2006

Alex Eckelberry, a really nice guy from Sunbelt Software, has blogged about my last IE7 finding. After exchanging some mails with him about this vulnerability, he also posted our conversation.

Although we do not agree on this issue, his point of view is really worth a read.

Thanks Alex :)


Saturday, December 23, 2006 10:47:29 AM UTC | Comments [1] | Security#
Thursday, December 14, 2006

It has been over a month since my last post regarding the IE7 vulnerability. Thailand is really an amazing place for a honeymoon J.
The feedbacks to this issue were mixed. Some said it's an issue that should be fixed as soon as possible, other said it's a minor issue, a hoax or just "old news".

Well, although I did not give the full information in my last post, it is definitely not a hoax, and as far as I know (and Google knows) no one ever informed about this specific issue in Internet Explorer.
As a workaround, Thierry Zoller suggested that the “Enable Safe DLL Search Order” feature should be enabled.
Other informed that the Desktop folder is not in the user’s PATH by default. While this is true, the behavior of the “DLL Search Order” (when it’s disabled) is to look for the DLL in the current directory, right after the Internet Explorer’s directory. As most users execute Internet Explorer from the Desktop, the current directory will be of course the user’s Desktop (see screenshot below).

The following DLL file names can be used to exploit the IE7 DLL-load hijacking vulnerability:
• sqmapi.dll
• imageres.dll
• schannel.dll

A Proof-of-Concept code for this vulnerability can be found at milw0rm.



Thursday, December 14, 2006 9:36:01 AM UTC | Comments [7] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.