DATE: COMMAND SOURCE: AUTHOR: DLLs SYSTEMS AFFECTED Win NT 3.5, 3.51, 4.0 PROBLEM This vulnerability was originally presented on: www.ntshop.com/security and this text is their credit. System DLLs are called by applications and the registry, and can be replaced with trojaned/virused versions. %systemroot% and %systemroot%\system32 directories have default permissions of 'Everyone' (includes guest) set to 'Change'. This allows DLLs not in use to be replaced. DLLs in use are locked. DLLs are run by programs at various levels during normal operation. A DLL for example can be run with SYSTEM privileges by a service while a user with normal privileges is logged on. This is also true for the MSGINA.DLL, which is the default "Graphical Identification and Authorization" provider for the local console logon, which if replaced, could seriously compromise your entire enterprise. good measure of common sense and diligence. Some things you can do are to set your file permissions accordingly, EXPLOIT SOLUTION Check/set your system permissions, don't install new software using an account with any level of administrative privileges, use SMS where possible, use a registry monitor such as NTRegMon when installing software, be leary of using any third party Web based executables including ISAPI .DLLs and Java, and test new things on isolated systems.