Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission



"Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> wrote:

Would you mind to break the lines of your posts near column 70?

From your blog:

[ ... ]

I would say "our self-serving and marketing-oriented minds remain
challenged to understand what security really is, but regardless,
continue to find ways of trying to convince people this represents
an actual security threat. In the end, it was our research that
falsely created security concerns and confusion where time was
better spent really doing just about anything else, but it would
have been a missed opportunity to get our names in the media to
sell our security services."

While I agree with you that the threat from Microsoft's implicit
DLL and EXE search/load order which includes . is old and well-known:
should Microsoft NOT fix their products?

One of the first MS bulletins that acknowledge this problem is MS00-052;
cf <http://support.microsoft.com/kb/269049>

| CAUSE: This issue can occur when you start a program by using a
| registry key if the entry does not specify an absolute path.
| Without a complete path, a standard path search order is followed.

At least after that bulletin I'd expect a company with some reputation
to do their homework, check all the references to executables in the
registry (and elsewhere too) for incomplete paths (Windows XP SP3 has
about 3000 in the registry alone, Windows 7 Professional x86 about 4500)
and fix them all.

JFTR: the path of every (system) file in Windows is well-known, it's
absolutely no problem to always use a fully-qualified path.
It but is sloppy coding practice, poor software engineering and even
poorer QA and a true sign of "we dont care" that Microsoft did not fix
those simple errors.

But how did they fix MS00-052: they left the incomplete path in the
registry and patched the binaries which evaluate it to modify their
search/load order. WTF?

About a year after MS00-052 Microsoft introduced "SafeDLLSearchMode"
and documented "StartRunNoHOMEPATH":
cf <http://support.microsoft.com/kb/306850>

Only 4 more years later Microsoft encountered the same problem on
Windows XP and 2003 too and introduced "SafeProcessSearchMode":
cf <http://support.microsoft.com/kb/905890>

JFTR: in Windows 7 SP1 both "Safe*SearchMode" registry entries are
NOT present!

Remember that Microsoft started their "trustworthy computing"
initiative in 2001, it's first outcome was SP2 of Windows XP in 2004.

Another 4 years later came MS09-015 "blended threat vulnerability in
SearchPath ...", cf <http://support.microsoft.com/kb/959426>

And still Microsoft did NOTHING to eliminate the root cause of this
problem!

Stefan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #120
    ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
    (Securiteam)