Re: Windows update and EFS

From: Särs, Camillo (Camillo.Sars@F-SECURE.COM)
Date: 11/22/01


Message-ID:  <30B026EA81B98D4082E2FD73B14CB812224180@fsfimail1.FI.F-Secure.com>
Date:         Thu, 22 Nov 2001 10:11:01 +0200
From: "Särs, Camillo" <Camillo.Sars@F-SECURE.COM>
Subject:      Re: Windows update and EFS
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


>The problem, which has been already reported by Microsoft, is that if
>you use windows update all temporally installation files are created
>within the administrator profile directory and then moved to the system
>directory as a last step.

[...]

>Even if there is a Knowledge base file (Article ID: Q307012, I was
>actually installing direct X 8.1) explaining this behavior in a quite
>summarized way, I found it a bug that has to be repaired at least for
>all "windows update" scripts.

A quote from Q307012:
"This causes the service pack or hotfix files to be copied to the
%SystemRoot% folder as encrypted files."

Not even Microsoft seems to grasp the complicated semantics of "copying vs.
moving".

This again brings up the issues regarding ACLs and inherited ACLs under NTFS.
If a file is *moved* to a system directory, the process that does the move
should fix any ACLs and attributes (including encryption) before moving it.
(Well, according to the previous discussions, at least.) This is
prohibitively difficult, as the process needs to understand all attributes of
the file that might cause problems. Because of this, I think that the
sensible thing to do is to always *copy* files into system directories. This
will ensure that the new copy is created with ACLs that the system
administrator desires. The installation script can then change these ACLs if
required.

I might be out on a limb here, but I would actually go as far as to claim
that any process that *moves* files out of some temporary directory has got
the whole thing backwards. Temporary directories in secured installations
may have very "strange" ACLs. For instance, they would typically allow
access only for their owner, but possibly allow D for Authenticated users.
Not what you'd like to see in your system directory.

Regards,
Camillo Särs

Any opinions expressed above are mine, and do not necessarily reflect the
opinions of my employer.

-- 
Camillo Särs <Camillo.Sars@F-Secure.com>       http://www.iki.fi/ged/
Security Researcher, F-Secure Corporation      http://www.F-Secure.com

F-Secure products: Securing the Mobile Enterprise

====================================== Delivery co-sponsored by Trend Micro, Inc. ====================================== BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: http://www.antivirus.com/banners/tracking.asp?siS&bi$5&ul=http://www.a ntivirus.com/smex2000_rebate