Impact
By carefully crafting DLL and putting into a subdirectory of a specific name living next to the Git for Windows installer, Windows can be tricked to DLL side-load said DLL.
This potentially allows users with local write access to place malicious payloads in a location where automated upgrades might run the Git for Windows installer with elevation.
Patches
Workarounds
Never leave untrusted files in the Downloads folder or its sub-folders before executing the Git for Windows installer. Or move the installer into a different directory before executing it.
References
veath1 Reporter
Impact
By carefully crafting DLL and putting into a subdirectory of a specific name living next to the Git for Windows installer, Windows can be tricked to DLL side-load said DLL.
This potentially allows users with local write access to place malicious payloads in a location where automated upgrades might run the Git for Windows installer with elevation.
Patches
Workarounds
Never leave untrusted files in the Downloads folder or its sub-folders before executing the Git for Windows installer. Or move the installer into a different directory before executing it.
References