with Windows XP (about 12 years ago) Microsoft started to develop a
REALLY NASTY habit: they began to install executable files outside
of "%SystemRoot%\" and "%ProgramFiles%\", in "%ALLUSERSPROFILE%\"
(since Windows Vista: "%ProgramData%\") and even "%USERPROFILE%\".
a DLL, installed there when a user runs the DRM individualisation
process of Windows Media Player, see
a DLL, used for Silverlight's PlayReady DRM
* "%APPDATA%\Microsoft\Virtual PC\VPCKeyboard.dll"
While this is a violation of Microsoft's own, about 18 years old
"Designed for Windows" guidelines, it tears down the security boundary
created with NTFS permissions/access rights and "privilege separation":
unprivileged users cant write to "%SystemRoot%\" and "%ProgramFiles%\"
and below, so all executables installed there are protected against
tampering by unprivileged users (and programs/malware running under
unprivileged user accounts).
Executables installed in %USERPROFILE% are but NOT protected against
tampering and can undermine at least the users safety.
Marcus J. Ranum was SOO right, back in 2007, when he wrote in
"Execution Control: Death to Antivirus" (see
| It makes sense; security never has been important in Windows.
JFTR: unfortunately not only Microsoft shows this bad habit:
crapware like the versions of Google Chrome or Google Drive
that are offered to "end users" installs into
"%LOCALAPPDATA%\Google\Update\..." and even subdirectories
of "%TEMP%", Dropbox installs into "%APPDATA%\Dropbox\...",
SoftMaker Office creates a DLL with the user registration data
in "%APPDATA%\SoftMaker" (and fails MISERABLY if execution is
denied there), Mozilla Firefox and Thunderbird download their
updaters to "%APPDATA%\Mozilla\..." (and fail MISERABLY if
execution is denied there), extensions like Mozilla Lightning
install DLLs below "%APPDATA%\Mozilla\..." (and fail MISERABLY
if execution is denied there), ...
Read more: Bugtraq security mailing list