Including "current directory" in the library search path was a poor design decision, one I cannot see the reasoning behind (except for a stupid attempt at allowing side-by-side versioning).
MS should just drop "current directory" searching. Yes, some legacy apps may break (poorly designed ones). They could then be fixed simply by modifying the PATH variable to include ".". Of course, this would bring us back to this situation, then those who do that should then know how to block against these attacks at the perimeter.
That some applications will try to load DLLs from the same location they opened a media file (or something else) is just plain stupid.
Really, Windows should refuse to load DLL's across the network (even LANs) unless the original executable (i.e. not document or file) was also loaded from that same location.
Discussion on:
Message 7 of 1
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
