Posted by Securify B.V. on Mar 09

Hi Stefan,

See below.

They still use LoadLibrary() to load wab32res.dll. Previously, the
fetched a path from HKLMSoftwareMicrosoftWABDLLPath and appended
wab32res.dll to the result, which was fed into LoadLibrary().

With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By
default DLLPath is set to %CommonProgramFiles%Systemwab32.dll,
PathRemoveFileSpec() removes wab32.dll from the path. They also call…