Defense in depth -- the Microsoft way (part 12): NOOP security fixes Oct 19 2013 04:35PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

with <http://technet.microsoft.com/security/bulletin/ms12-034>
Microsoft addressed CVE-2012-0181 for Windows NT 5.x; see
<https://support.microsoft.com/kb/2686509> for details.

BUT: the hotfix KB2686509 does NOT fix anything!

Instead it just checks ONCE(!) whether all the "keyboard layout DLLs"
registered beneath

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]

are either registered with their fully-qualified pathname or exist in

This STATIC, ONE TIME check but does NOT cure the problem, it only checks
for the symptom!

If Microsoft would REALLY care about security, the hoxfix KB2686509 (or
better: Windows setup) would (re)write all references to filenames with
their fully-qualified pathname, i.e. as

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]


2004-08-23 informed vendor about still unfixed principal security
flaws due to unqualified filenames and Windows' EXE/DLL
search/load order after release of SP2 for Windows XP

JFTR: Microsoft started their "trustworthy computing" initiative in
2001, and XP SP2 was supposed to eliminate many of the errors
Microsoft made in previous versions of NT.

2004-08-25 vendor replies "no vulnerabilities", but forwards report
to product groups/teams

2004-09-02 vendor still wont see vulnerabilities, asks for POC(s)


2008-05-30 vendors publishes

2009-04-15 vendor publishes <http://support.microsoft.com/kb/959426>

2010-08-23 vendor publishes
and updates it over and over again since then

2012-05-08 vendor publishes <http://support.microsoft.com/kb/2686509>

stay tuned
Stefan Kanthak

PS: if Microsoft weren't such sloppy coders and had a QA department this
whole class of vulnerabilities would not exist: the path to EVERY
executable in Windows is well-known, all references can use the
fully-qualified, absolute pathname.

<http://home.arcor.de/skanthak/download/XP_FIXIT.INF> fixes all the
2500+ unqualified (plus not properly quoted long) filenames left in
the registry of Windows XP SP3 AFTER fixing the other 2000+ unqualified
(plus not properly quoted long) filenames in the \i386\HIVE*.INF and
\i386\DMREG.INF (from which the initial registry is built) on the
installation media.

<http://home.arcor.de/skanthak/download/W7_ERROR.INF> documents the
4500+ unqualified filenames in the registry of Windows 7 Professional
with SP1, and <http://home.arcor.de/skanthak/download/W7_ISSUE.INF>
documents some other issues.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus