It has been over a month since my last post regarding the IE7 vulnerability. Thailand is really an amazing place for a honeymoon J.
The feedbacks to this issue were mixed. Some said it's an issue that should be fixed as soon as possible, other said it's a minor issue, a hoax or just "old news".
Well, although I did not give the full information in my last post, it is definitely not a hoax, and as far as I know (and Google knows) no one ever informed about this specific issue in Internet Explorer.
As a workaround, Thierry Zoller suggested that the “Enable Safe DLL Search Order” feature should be enabled.
Other informed that the Desktop folder is not in the user’s PATH by default. While this is true, the behavior of the “DLL Search Order” (when it’s disabled) is to look for the DLL in the current directory, right after the Internet Explorer’s directory. As most users execute Internet Explorer from the Desktop, the current directory will be of course the user’s Desktop (see screenshot below).
The following DLL file names can be used to exploit the IE7 DLL-load hijacking vulnerability:
• sqmapi.dll
• imageres.dll
• schannel.dll
A Proof-of-Concept code for this vulnerability can be found at milw0rm.
