Aviv Raff is a smart guy and I respect his work. But he does seem to be making a mountain out of a wee molehill.
Back in November, he wrote an alarming blog post entitled “Internet Explorer 7 – Still Spyware Writers Heaven”, which made the argument that there’s an “exploit” in IE 7 because when IE loads DLLs, it does not provide the full path to some. When IE can’t find the DLL, Windows will search for a DLL with the same name. Hence, a malware author could replace a legitimate DLL with a naughty DLL.
His blog post elicited some light discussion on various security lists, but that was about all I saw about it. However, today he came out again on this subject, with proof of concept code for this “exploit”.
Now, I wouldn’t have paid much attention to this, except that in his original post, Avi used a really scary headline, which I really don’t think was warranted. I’ve seen my fair share of crap-in-your pants exploits. This is not one of them.
Remember that in order for a rogue DLL to get on a system, the malware author would need to have full write access to the system. It’s also not trivial to write such a DLL.
Now, the following argument could be made: “Alex, you moron: a trojan could get installed on a person’s machine, which would have as its payload this rogue DLL”. Yes, that’s true. But how is that different than any other malware? How the hell did the trojan get on the person’s machine in the first place? The user had to allow it to get in. Heck, if the malware author can get a trojan on a machine, why not have that be the nasty bugger which ruins your life? Do you see the illogic here?
In other words, this is not like the infamous WMF exploit, which blasted a hole right into a user’s system by simply visiting a website.
I’ve been exchanging emails with Rob Franco (a good guy btw) on the IE team, who said “the reason that this behavior isn’t a “security vulnerability”, is that the Aviv [Raff] needs to already have write access to your system to get his code to run the way that he describes…I doubt that this will ever become a spyware writer’s “weapon of choice” because frankly, coding a rogue system DLL from scratch is probably one of the harder ways I can imagine for a badguy to get their code running.”
Rob agrees with Raff that security vendors need to keep a lookout for these types of threats, adding that “at the same time, spyware-scanners should probably keep a look out for suspicious DLLs as there’s no end to the creativity of attackers.”
I’m sure this minor bug will be fixed in an update in the near future. In the meantime, as always, continue to practice good basic security habits.
Alex Eckelberry