Re: possible regedit bulk key deletion vulnerability (Revised)
From: Ron Parker (ron_at_GWMICRO.COM)
Date: 11/16/04
- Previous message: k levinson: "Re: possible regedit bulk key deletion vulnerability (Revised)"
- In reply to: support_at_maedata.net: "possible regedit bulk key deletion vulnerability (Revised)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Nov 2004 09:01:35 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
At 11:08 PM 11/15/2004, you wrote:
>It would not take someone with a lot of smarts to misuse this simple
>incomplete key (which regedit appearently interprets as a global delete of
>all the keys). Malware or a virus could simply dynamically build a .reg file
>or copy one (say malware.reg for example) with the above delete key
>specification, and place an item under the
>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with the value of
>"regedit malware.reg /s". Using this example the machine can be rendered
>useless when it was restarted.
Far easier for the malware to use the API that Microsoft thoughtfully
provided for just that purpose:
>begging the point that maybe regedit should also only allowed to run by
>administrators.
Of course, only an administrator could have deleted HKLM anyway...
-- Editor's Note: The 43rd Most Powerful Person in Networking says... Register today to take the TruSecure ICSA exam by 12/31/04 at <http://www.2test.com> , use promo code "CT1204" and you will pay just $221.25 US Dollars for domestic exam delivery and $296.25 US Dollars for international delivery. Visit <https://ticsa.trusecure.com> for complete details regarding the TICSA credential and to take the free sample exam. --
- Previous message: k levinson: "Re: possible regedit bulk key deletion vulnerability (Revised)"
- In reply to: support_at_maedata.net: "possible regedit bulk key deletion vulnerability (Revised)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
