July 28, 2000 


                         Relative Registry Paths May Allow Trojans to Run 	
 	
	
 VERSIONS AFFECTED

   Microsoft Windows NT 4.0 Workstation 
   Microsoft Windows NT 4.0 Server 
   Microsoft Windows NT 4.0 Server, Enterprise Edition
   Microsoft Windows NT 4.0 Server, Terminal Server Edition
   Microsoft Windows 2000 Professional 
   Microsoft Windows 2000 Server
   Microsoft Windows 2000 Advanced Server 

 DESCRIPTION

 According to the discoverer,
 Windows uses a specific search order for executables that are defined in the Registry.
 If those definition use relative path names instead of absolute path names then it is 
 possible to cause a Trojan to run instead of the legimate execuatable.
 The search order used is as follows:

 -The directory where the calling application loaded from 
 -The current directory of the parent process 
 -The 32-bit Windows system directory: System32
 -The 16-bit Windows system directory: System
 -The Windows directory: %SYSTEMROOT%
 -The directories listed in the PATH environment variable

  DEMONSTRATION
 During the system boot sequence, any file named EXPLORER.EXE located in the
 boot drives root directory will load instead of the legitimate version,
 normally located in the %SYSTEMROOT% directory.