Microsoft Windows DLL Search Path Weakness
When a program executes under Microsoft Windows, it may require additional code stored in DLL library files. These files are dynamically located at run time, and loaded if necessary. A weakness exists in the algorithm used to locate these files.
The search algorithm used to locate DLL files specifies that the current working directory is checked before the System folders. If a trojaned DLL can be inserted into the system in an arbitrary location, and a predictable executable called with the same current working directory, the trojaned DLL may be loaded and executed. This may occur when a data file is accessed through the 'Run' function, or double clicked in Windows Explorer.
This has been reported to occur with the 'riched20.dll' and 'msi.dll' DLL files and some Microsoft Office applications, including WordPad.
This behavior has also been reported for files loaded from UNC shares, or directly from FTP servers.