Comments - AJ Batac (/-_-)

Install patch - Eric - 100% Choice Cuts

I...what... - Mike Nayyar

Do people really still run as admin in Windows 7? - Victor Ganata

Developers do. - AJ Batac (/-_-)

It's actually a whole class of issues, this is just one possible way to exploit it. Basically, the problem has to do with how Windows loads DLLs. When searching for a DLL, Windows has the current directory in the search path. So if you have an application trying to load a DLL that isn't on the system, and you're opening a file in an untrusted shared directory, and the DLL is in there, then it'll get loaded instead. So you put your exploit code in that DLL. - Otto

Notepad in particular is loading the shdocvw.dll file, which is a part of internet explorer. That DLL loads a file called "ieshims.dll", which doesn't exist on most systems. However the failure to load the file doesn't affect it, and so it continues normally. Thus, if you make an exploit DLL, call it ieshims.dll, place it in a directory with a text file, and then get somebody to open your share and open the text file, then the exploit DLL can be loaded. - Otto

Bottom line is that this is basically a vulnerability introduced into Windows by Internet Explorer. IE's overly tight integration with the operating system and use of the COM components from it everywhere make this sort of exploit possible. It's not just Notepad that's vulnerable, it's any program that uses IE components, basically. On a larger scale, the DLL loading mechanism in Windows is overly stupid. The forthcoming update will make it less stupid by limiting the search path, but it's still bloody stupid. - Otto