If the program doesn't tell Windows where to find Whizbang.dll, Windows goes looking for the DLL in a very rigidly defined series of folders (details on the MSDN DLL Search Order page). By default, Windows starts by looking in the folder that contains the Senuti.exe program, then goes to the system folder, then the Windows folder, then the current directory, and so on.
The plot thickens. The guys in black hats have been looking at a lot of programs. They find out that Senuti.exe calls Whizbang.dll and that Whizbang.dll isn't normally located in the high-priority folders. It isn't usually in the folder with the Senuti.exe program. It isn't in the system or the Windows folder. So the guys in black hats put a .sen file and their own, jiggered Whizbang.dll file in the same folder.
Here's what happens. You double-click on the folder -- say, on a shared drive or on a USB drive -- that contains the .sen file and Whizbang.dll. Windows Explorer normally shows you .sen files, but it doesn't show you DLLs, so the contents of the folder look just fine. You see the .sen file, and you double-click on it. Bingo. Windows runs the subverted Whizbang.dll file that's inside the folder.
Windows doesn't try to authenticate Whizbang.dll. It just looks for a program called Whizbang.dll by scanning through a specific list of locations. The first Whizbang.dll it encounters wins, and it runs. You've been pwned.
Companies that publish big-name programs like Senuti.exe should have their programmers figure out exactly where to find subsidiary programs like Whizbang.dll. The program should never say, "Hey, Windows, go out and run the first Whizbang you find." Microsoft programming guru David LeBlanc blogged about that years ago. But programmers get lazy, and systems get complicated. In the end, many hundreds of popular programs, including the ones you use every day, take the short way out -- and now, we're being told, they leave you exposed.
There's nothing particularly new or revolutionary about path exploits; they've been around a long, long time. It's just that, this past week, several high-profile websites have started talking about the problem and showing how the DLL search path can be used in novel ways to run a program surreptitiously. H.D. Moore of Metasploit fame has posted his rationale for releasing information about the exploit, and is actively disseminating exploit kits to help find applications that call DLLs without specifying their locations.
I haven't heard of any new-generation path exploits, but I believe it's only a matter of days before they hit the fan. Microsoft has a couple of mitigations that involve Registry changes detailed in the Security Research & Defense blog. They seem to be effective for the specific infection methods that involve network shares. But the core problem remains -- and won't be solved until application vendors get their code cleaned up.
This story, "Heads up: A whole new class of zero-day Windows vulnerabilities looms," was originally published at InfoWorld.com. Get the first word on important tech news with the InfoWorld Tech Watch blog.