Opening *.txt file is dangerous on Windows

The report says this vulnerability is specific to remote network shares and WebDAV. All you have to do is send someone a link to a .txt file on a WebDAV site with a .dll in the same directory, I guess, and they'll be owned... That is pretty awesome.<p>(As was commented on below, this is identical to an LD_LIBRARY_PATH type exploit on Linux; here is Microsoft's fix as well as an explanation of how it works <a href="http://support.microsoft.com/kb/2264107" rel="nofollow">http://support.microsoft.com/kb/2264107</a>)<p>Edit: I realize now literally any URL could be a WebDAV site with a text/plain mime type and an exploit DLL in the same dir. So really, every single URL you hit with IE is potentially vulnerable. Have a nice day.

Anyone know how this works? How would a plain .txt file load a dll? In any case this looks like it would be difficult to execute since the text file has to be in the same directory as the dll.

So basically send someone a zip file with a DLL + readme.txt. Most people would avoid the DLL but not think twice about opening the readme. Sounds nasty.

It remember me of an old stack overflow that I posted just running the command cat: <a href="http://seclists.org/bugtraq/1999/Sep/432" rel="nofollow">http://seclists.org/bugtraq/1999/Sep/432</a>

I wonder if this was in use (for legitimate uses) by anyone prior to its omg-security-breach discovery, and if their use still works. Quite a few Windows applications look in their folder first for DLLs - checking the loaded-file path could conceivably make the same kind of sense. Or just not accounting for current-directory changes when launching with a file (not entirely sure what the behavior is there).

The description of the vulnerability reminds me a lot about how Stuxnet exploited weaknesses with shortcuts unknowingly loading a malicious dll.

This reminds me of hacking ANSI.SYS escape sequences back in the day. You could create a text file which would be "executed" when someone entered "type readme.txt" at the DOS prompt, by using keyboard remappings and so on.<p>I remember creating a fairly unsuccessful "text file virus" that would try to copy itself around our school network and reboot people's machines. Good times...

I think this vulnerability is related to WebDAV and SMB, not the DLL/path issue mentioned.

I wonder if this is still an issue when using a 3rd party editor, such as EditPad, etc.

Has this been fixed since this was posted? Either way, the title is inaccurate now. This is only dangerous if you haven't installed the update.

details here:<p><a href="http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html" rel="nofollow">http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-...</a>

It is not dangerous if you install the update. Why is the headline hyping it as if it's an unpatched zero day?

MISLEADING TITLE!

Isn't everything about Windows considered dangerous anymore? Has there ever been such problem-stricken piece of software?

Clicking "start" is even more dangerous. Once you start, can you stop?