Version.dll, Downloads Folder and '0-Daying' Microsoft Office Installer

CWD

Many Application installers are susceptible to 'binary planting' if the planting of the file is in a tricky location the risk becomes less of an issue, but off the back of a review of it was clear that there is a bigger issue here

Lots of Application installers look for version.dll in it's current working directory.

Oh!... what does that mean ?
well, it takes about 2 minutes to create a malicious version.dll file and if placed in the same folder as the application installer i.e. the Downloads folder, this poses a real risk.

PoC

Better at Fullscreen Link


The last time I spoke with Microsoft about security issues, they treat me slightly disrespectfully,... one good turn deserves another.

Tools used: