[devbug]

I learned something a few days ago that made me both laugh and cry:

LoadLibraryA will happily load a DLL from WebDAV through a UNC path. Something like \\example.com@80\path\to\payload.dll.

It goes without saying that this has been abused by viruses to surreptitiously fetch their malicious code.

[mixmastamyk]

Is that much different than a get and load in the end?

[devbug]

It's a pretty useful attack vector since you can get an arbitrary program to load your payload under certain circumstances, so you don't even need malicious code running if you can find a vulnerable target. cough SharePoint cough

[ori_b]

Yes -- you may not be able to convince a program to download a file, but you may be able to tell it to use an improperly sanitized plugin name via a static, non-executable document that someone downloads and tries to view.