Re: Microsoft's Binary Planting Clean-Up Mission

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

"Thor (Hammer of God)" <thor () hammerofgod com> wrote:

Would you mind to break the lines of your posts near column 70?

> > From your blog:

[ ... ]

> I would say "our self-serving and marketing-oriented minds remain
> challenged to understand what security really is, but regardless,
> continue to find ways of trying to convince people this represents
> an actual security threat. In the end, it was our research that
> falsely created security concerns and confusion where time was
> better spent really doing just about anything else, but it would
> have been a missed opportunity to get our names in the media to
> sell our security services."

While I agree with you that the threat from Microsoft's implicit
DLL and EXE search/load order which includes . is old and well-known:
should Microsoft NOT fix their products?

One of the first MS bulletins that acknowledge this problem is MS00-052;
cf <http://support.microsoft.com/kb/269049>

| CAUSE: This issue can occur when you start a program by using a
| registry key if the entry does not specify an absolute path.
| Without a complete path, a standard path search order is followed.

At least after that bulletin I'd expect a company with some reputation
to do their homework, check all the references to executables in the
registry (and elsewhere too) for incomplete paths (Windows XP SP3 has
about 3000 in the registry alone, Windows 7 Professional x86 about 4500)
and fix them all.

JFTR: the path of every (system) file in Windows is well-known, it's
absolutely no problem to always use a fully-qualified path.
It but is sloppy coding practice, poor software engineering and even
poorer QA and a true sign of "we dont care" that Microsoft did not fix
those simple errors.

But how did they fix MS00-052: they left the incomplete path in the
registry and patched the binaries which evaluate it to modify their
search/load order. WTF?

About a year after MS00-052 Microsoft introduced "SafeDLLSearchMode"
and documented "StartRunNoHOMEPATH":
cf <http://support.microsoft.com/kb/306850>

Only 4 more years later Microsoft encountered the same problem on
Windows XP and 2003 too and introduced "SafeProcessSearchMode":
cf <http://support.microsoft.com/kb/905890>

JFTR: in Windows 7 SP1 both "Safe*SearchMode" registry entries are
NOT present!

Remember that Microsoft started their "trustworthy computing"
initiative in 2001, it's first outcome was SP2 of Windows XP in 2004.

Another 4 years later came MS09-015 "blended threat vulnerability in
SearchPath ...", cf <http://support.microsoft.com/kb/959426>

And still Microsoft did NOTHING to eliminate the root cause of this
problem!

Stefan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/