Malware has been using it to spread through local shares and also using it as easy privilege escalations for known trusted software. Like I said and have always said, the vectors are going to be local and for further compromise.
On Mon, Feb 20, 2012 at 4:22 PM, Sanguinarious Rose < [email protected]> wrote: > On Mon, Feb 20, 2012 at 2:28 PM, Jeffrey Walton <[email protected]> > wrote: > > Hi Mitja, > > > > On Fri, Feb 17, 2012 at 11:32 AM, ACROS Security Lists <[email protected]> > wrote: > >> > >> This blog post reveals a bit of our research and provides an advance > notification of > >> a largely unknown remote exploit technique on Windows. More > importantly, it provides > >> instructions for protecting your computers from this technique while > waiting for the > >> affected software to correct its behavior. > >> > >> > http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html > > > > $ Look for the presence of any *.dll files in the Downloads > > $ folder and do the same as in the previous step. > > $ Delete all files from the Downloads folder. > > I don't believe a PE/PE+ executable needs a DLL extension to be loaded > > by LoadLibrary and friends. > > > > They do not need a specific extension for LoadLibrary() to work. > > This is more having to do with dll search paths which has been a known > exploit vector for a long while now. I do know Win7 fixes this by just > not checking the local directories when it loads a .exe, I am unsure > if Vista does the same, and I am positive WinXP checks local > directories first since I've done so under WinXP. > > They might have something interesting with the msiexec.exe with it > checking the local directory first. I would call this a programming > issue by the installer not specifying a full path and no validations. > > If a dev was really concerned when they called LoadLibrary() they > could just use SetDllDirectory(), GetDllDirectory(), and friends to > manipulate where they look for dlls. > > Since I responded to something in this subject, I would like to share > my personal opinion this doesn't really seem like a major exploit > vector. It appears to fall to usual do and do not of basic security. > Obviously downloading files from a suspect website is a security risk. > > > Perhaps a scanning/cleansing tool would be helpful. > > > > Jeff > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
