BugTraq
Defense in depth -- the Microsoft way (part 12): NOOP security fixes Oct 19 2013 04:35PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

with <http://technet.microsoft.com/security/bulletin/ms12-034>
Microsoft addressed CVE-2012-0181 for Windows NT 5.x; see
<https://support.microsoft.com/kb/2686509> for details.

BUT: the hotfix KB2686509 does NOT fix anything!

Instead it just checks ONCE(!) whether all the "keyboard layout DLLs"
registered beneath

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]
"LayoutFile"="KBD*.DLL"

are either registered with their fully-qualified pathname or exist in
%SystemRoot%\System32.

This STATIC, ONE TIME check but does NOT cure the problem, it only checks
for the symptom!

If Microsoft would REALLY care about security, the hoxfix KB2686509 (or
better: Windows setup) would (re)write all references to filenames with
their fully-qualified pathname, i.e. as

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]
"LayoutFile"="%SystemRoot%\\System32\\KBD*.DLL"

Timeline:
~~~~~~~~~

2004-08-23 informed vendor about still unfixed principal security
flaws due to unqualified filenames and Windows' EXE/DLL
search/load order after release of SP2 for Windows XP

JFTR: Microsoft started their "trustworthy computing" initiative in
2001, and XP SP2 was supposed to eliminate many of the errors
Microsoft made in previous versions of NT.

2004-08-25 vendor replies "no vulnerabilities", but forwards report
to product groups/teams

2004-09-02 vendor still wont see vulnerabilities, asks for POC(s)

...

2008-05-30 vendors publishes
<http://technet.microsoft.com/security/advisory/953818>

2009-04-15 vendor publishes <http://support.microsoft.com/kb/959426>
alias
<http://technet.microsoft.com/security/bulletin/ms09-015>
plus
<http://technet.microsoft.com/security/bulletin/ms09-014>

2010-08-23 vendor publishes
<http://technet.microsoft.com/security/advisory/2269637>
and updates it over and over again since then

2012-05-08 vendor publishes <http://support.microsoft.com/kb/2686509>
alias
<http://technet.microsoft.com/security/bulletin/ms12-034>

stay tuned
Stefan Kanthak

PS: if Microsoft weren't such sloppy coders and had a QA department this
whole class of vulnerabilities would not exist: the path to EVERY
executable in Windows is well-known, all references can use the
fully-qualified, absolute pathname.

<http://home.arcor.de/skanthak/download/XP_FIXIT.INF> fixes all the
2500+ unqualified (plus not properly quoted long) filenames left in
the registry of Windows XP SP3 AFTER fixing the other 2000+ unqualified
(plus not properly quoted long) filenames in the \i386\HIVE*.INF and
\i386\DMREG.INF (from which the initial registry is built) on the
installation media.

<http://home.arcor.de/skanthak/download/W7_ERROR.INF> documents the
4500+ unqualified filenames in the registry of Windows 7 Professional
with SP1, and <http://home.arcor.de/skanthak/download/W7_ISSUE.INF>
documents some other issues.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus