BugTraq
Defense in depth -- the Microsoft way (part 7): executable files in data directories Aug 17 2013 07:01PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi,

with Windows XP (about 12 years ago) Microsoft started to develop a
REALLY NASTY habit: they began to install executable files outside
of "%SystemRoot%\" and "%ProgramFiles%\", in "%ALLUSERSPROFILE%\"
(since Windows Vista: "%ProgramData%\") and even "%USERPROFILE%\".

Examples:

* "%ALLUSERSPROFILE%\DRM\INDIVBOX.KEY"

a DLL, installed there when a user runs the DRM individualisation
process of Windows Media Player, see
<http://go.microsoft.com/fwlink/fwlink.ashx?linkid=34506> alias
<http://drmlicense.one.microsoft.com/Indivsite/en/indivit.asp?force=1> alias
<https://services.wmdrm.windowsmedia.com/Indivsite/en/indivit.asp?force=
1>

* "%COMMONAPPDATA%\Microsoft\PlayReady\Cache\...\MSPRindiv01.key"

a DLL, used for Silverlight's PlayReady DRM

* "%APPDATA%\Microsoft\Virtual PC\VPCKeyboard.dll"

* "%LOCALAPPDATA%\Microsoft\SkyDrive\..."

...

While this is a violation of Microsoft's own, about 18 years old
"Designed for Windows" guidelines, it tears down the security boundary
created with NTFS permissions/access rights and "privilege separation":
unprivileged users cant write to "%SystemRoot%\" and "%ProgramFiles%\"
and below, so all executables installed there are protected against
tampering by unprivileged users (and programs/malware running under
unprivileged user accounts).

Executables installed in %USERPROFILE% are but NOT protected against
tampering and can undermine at least the users safety.

Marcus J. Ranum was SOO right, back in 2007, when he wrote in
"Execution Control: Death to Antivirus" (see
<http://www.ranum.com/security/computer_security/editorials/antivirus/in
dex.html>):

| It makes sense; security never has been important in Windows.

JFTR: unfortunately not only Microsoft shows this bad habit:
crapware like the versions of Google Chrome or Google Drive
that are offered to "end users" installs into
"%LOCALAPPDATA%\Google\Chrome\Application\...",
"%LOCALAPPDATA%\Google\Update\..." and even subdirectories
of "%TEMP%", Dropbox installs into "%APPDATA%\Dropbox\...",
SoftMaker Office creates a DLL with the user registration data
in "%APPDATA%\SoftMaker" (and fails MISERABLY if execution is
denied there), Mozilla Firefox and Thunderbird download their
updaters to "%APPDATA%\Mozilla\..." (and fail MISERABLY if
execution is denied there), extensions like Mozilla Lightning
install DLLs below "%APPDATA%\Mozilla\..." (and fail MISERABLY
if execution is denied there), ...

I recommend that the developers responsible for these crimes against
computer safety and security learn the meaning of the word "DATA"
before they are allowed to pester unsuspecting users with more of
their (by the very design) unsafe and insecure programs.

stay tuned
Stefan Kanthak

PS: it's getting worse^Wmore complicated (and as everybody with a
sane mind knows: complexity reduces/ruins safety and security)!

With Windows Vista Microsoft introduced "user account control"
(really: they surrendered to all those incapable and incompetent
developers who were and are unable and unwilling to write Windows
software that runs without administrative rights, as requested in
their own, then about 11 year old "Designed for Windows" guidelines)
and "UAC virtualization", which redirects write access failures
(and after that, read accesses too) of "legacy applications", i.e.
32-bit processes run by unprivileged interactive users (cf.
<http://technet.microsoft.com/magazine/4ce22051-1ff9-49c1-ab06-d97658e99
3e0>
and <http://msdn.microsoft.com/en-us/library/bb530410.aspx>)
below "%SystemRoot%\", "%ProgramFiles%\" and "%ProgramData%\" to
"%LOCALAPPDATA%\VirtualStore\".

| However, any file with an executable extension, including .exe,
| .bat, .scr, .vbs, and others, is excluded from virtualization.

The list of predefined "executable" extensions (as found within
%SystemRoot%\System32\Drivers\LUAFV.SYS) is:
.acm, .asa, .asp, .aspx, .ax, .bat, .cer, .chm, .clb, .cmd, .cnt,
.cnv, .com, .cpl, .cpx, .crt, .dll, .drv, .exe, .fon, .grp, .hlp,
.hta, .ime, .inf, .ins, .isp, .its, .js, .jse, .lnk, .msc, .msi,
.msp, .mst, .mui, .nls, .ocx, .pal, .pcd, .pif, .reg, .scf, .scr,
.sct, .shb, .shs, .sys, .tlb, .tsp, .url, .vb, .vbe, .vbs, .vsmacros,
.ws, .wsc, .wsf and .wsh

BUT: .key (see above) is missing!

To modify this list, edit

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Luafv\Parameters]
"ExcludedExtensionsAdd"=multi:
"ExcludedExtensionsRemove"=multi:

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus