DLL Vlnerability (Binary Planting) Under Windows Goes "EXE"

It turns out that DLL vulnerability (Binary Planting) under Windows was only the tip of the iceberg. As, ACROS explains that "Attackers first save an HTML file and a manipulated file called explorer.exe on a drive. When victim opens HTML file with Safari, nothing happens initially, but the file does contain a link to a […]

It turns out that DLL vulnerability (Binary Planting) under Windows was only the tip of the iceberg. As, ACROS explains that "Attackers first save an HTML file and a manipulated file called explorer.exe on a drive. When victim opens HTML file with Safari, nothing happens initially, but the file does contain a link to a URI that starts with "file://", which causes Windows to try to start Windows Explorer. Unfortunately, Windows loads explorer.exe within containing folder (the network share) and executes it."

ACROS says "CWDIllegalInDllSearch-Hotfix prevents code from being loaded from current containing folder for DLLs, but doesn't work for EXE files. The same also holds true for SetDLL directory function. Because there's no comparable function for EXE files, ACROS says it would only help if the app puts containing folder at the end of search path before additional processes are launched. At the moment, the only way to prevent remote attacks seems to be by disabling WebDAV clients (under Services).