Tuesday, August 20, 2013

Defense in depth -- the Microsoft way (part 7): executable files in data directories

Hi,

with Windows XP (about 12 years ago) Microsoft started to develop a
REALLY NASTY habit: they began to install executable files outside
of "%SystemRoot%\" and "%ProgramFiles%\", in "%ALLUSERSPROFILE%\"
(since Windows Vista: "%ProgramData%\") and even "%USERPROFILE%\".


Examples:

* "%ALLUSERSPROFILE%\DRM\INDIVBOX.KEY"

  a DLL, installed there when a user runs the DRM individualisation
  process of Windows Media Player, see
  <http://go.microsoft.com/fwlink/fwlink.ashx?linkid=34506> alias
  <http://drmlicense.one.microsoft.com/Indivsite/en/indivit.asp?force=1> alias
  <https://services.wmdrm.windowsmedia.com/Indivsite/en/indivit.asp?force=1>

* "%COMMONAPPDATA%\Microsoft\PlayReady\Cache\...\MSPRindiv01.key"

  a DLL, used for Silverlight's PlayReady DRM

* "%APPDATA%\Microsoft\Virtual PC\VPCKeyboard.dll"

* "%LOCALAPPDATA%\Microsoft\SkyDrive\..."

...

While this is a violation of Microsoft's own, about 18 years old
"Designed for Windows" guidelines, it tears down the security boundary
created with NTFS permissions/access rights and "privilege separation":
unprivileged users cant write to "%SystemRoot%\" and "%ProgramFiles%\"
and below, so all executables installed there are protected against
tampering by unprivileged users (and programs/malware running under
unprivileged user accounts).

Executables installed in %USERPROFILE% are but NOT protected against
tampering and can undermine at least the users safety.


Marcus J. Ranum was SOO right, back in 2007, when he wrote in
"Execution Control: Death to Antivirus" (see
<http://www.ranum.com/security/computer_security/editorials/antivirus/index.html>):

| It makes sense; security never has been important in Windows.


JFTR: unfortunately not only Microsoft shows this bad habit:
      crapware like the versions of Google Chrome or Google Drive
      that are offered to "end users" installs into
      "%LOCALAPPDATA%\Google\Chrome\Application\...",
      "%LOCALAPPDATA%\Google\Update\..." and even subdirectories
      of "%TEMP%", Dropbox installs into "%APPDATA%\Dropbox\...",
      SoftMaker Office creates a DLL with the user registration data
      in "%APPDATA%\SoftMaker" (and fails MISERABLY if execution is
      denied there), Mozilla Firefox and Thunderbird download their
      updaters to "%APPDATA%\Mozilla\..." (and fail MISERABLY if
      execution is denied there), extensions like Mozilla Lightning
      install DLLs below "%APPDATA%\Mozilla\..." (and fail MISERABLY
      if execution is denied there), ...


Read more: Bugtraq security mailing list
QR: Inline image 1