Hacker News new | past | comments | ask | show | jobs | submit login

I wonder if Notepad, Wordpad, and maybe Word all call some library (or all have copy/pasted code) that, for whatever reason, looks for a particular DLL in the working folder and executes it?

Not sure how the network drive part would fit into that hypothesis, though.

Windows suffers some famous dain bramage wrt to DLL loading paths: http://unhandledexpression.com/2010/08/23/fixing-the-dll-loa... Basically, even when "safe" DLL loading is turned on, the search path still includes the current directory. I'm guessing that Notepad and friends all look for some (legacy?) DLL that isn't always installed, so if an attacker puts a malicious DLL by its same name in the same path as the file being opened, it'll be loaded and executed. The part about network drives is probably just an assumption about trust boundaries: Microsoft assumes that attacker can't ordinarily put a malicious file in the same local folder that you're opening a text file in, but on a network drive anything goes.

This is all just speculation. I don't code for Windows, and I don't know anything more about this vulnerability than what's stated in the advisory.

The article doesn't mention it, but does anyone know if a requirement to reproduce the vulnerability is that the files be opened in Notepad, Wordpad, or Word? What if you used a third-party editor?

I'm guessing it's actually a bug with Explorer (that is, the actual opening action) than any particular editor, since RTF files are also affected - and doubtlessly many other file types.

It's not Explorer, it's a bug with the Win32 API that loads DLLs. Any program that uses Win32 to load libraries is affected.

Not true, see here:


The vulnerability, as I understand it (I did a little research by examining one of the vulnerable applications), since we don't have any actual PoCs to examine:

notepad.exe, like many of the stock Windows apps, uses a bunch of system libraries. One of those system libraries loads shdocvw.dll (an Internet Explorer related component). shdocvw.dll has a delay-load dependency on a library called 'ieshims.dll'. On my computer, when I start notepad.exe, shdocvw.dll tries to load ieshims.dll, and fails, but continues normally.

This means that since ieshims.dll is not found in the app directory or the windows system directory, the search for it will continue all the way into the current working directory, which would make it possible for an exploit to put a payload in an 'ieshims.dll' stored in the current working directory (next to the .txt file), and it would then be loaded.

Assuming my research is correct, this looks like a security vulnerability introduced by one of the Internet Explorer developers, probably for some sort of compatibility purpose. They ignored the fact that IE is used as a component in many system applications, and basically added a vulnerability to every app using shdocvw (there are a lot of them).

It's a generic vulnerability; any program that loads DLLs while the current directory is untrusted has the same problem.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact