Tuesday, August 20, 2013

Defense in depth -- the Microsoft way (part 7): executable files in data directories


with Windows XP (about 12 years ago) Microsoft started to develop a
REALLY NASTY habit: they began to install executable files outside
of "%SystemRoot%\" and "%ProgramFiles%\", in "%ALLUSERSPROFILE%\"
(since Windows Vista: "%ProgramData%\") and even "%USERPROFILE%\".



  a DLL, installed there when a user runs the DRM individualisation
  process of Windows Media Player, see

* "%COMMONAPPDATA%\Microsoft\PlayReady\Cache\...\MSPRindiv01.key"

  a DLL, used for Silverlight's PlayReady DRM

* "%APPDATA%\Microsoft\Virtual PC\VPCKeyboard.dll"

* "%LOCALAPPDATA%\Microsoft\SkyDrive\..."


While this is a violation of Microsoft's own, about 18 years old
"Designed for Windows" guidelines, it tears down the security boundary
created with NTFS permissions/access rights and "privilege separation":
unprivileged users cant write to "%SystemRoot%\" and "%ProgramFiles%\"
and below, so all executables installed there are protected against
tampering by unprivileged users (and programs/malware running under
unprivileged user accounts).

Executables installed in %USERPROFILE% are but NOT protected against
tampering and can undermine at least the users safety.

Marcus J. Ranum was SOO right, back in 2007, when he wrote in
"Execution Control: Death to Antivirus" (see

| It makes sense; security never has been important in Windows.

JFTR: unfortunately not only Microsoft shows this bad habit:
      crapware like the versions of Google Chrome or Google Drive
      that are offered to "end users" installs into
      "%LOCALAPPDATA%\Google\Update\..." and even subdirectories
      of "%TEMP%", Dropbox installs into "%APPDATA%\Dropbox\...",
      SoftMaker Office creates a DLL with the user registration data
      in "%APPDATA%\SoftMaker" (and fails MISERABLY if execution is
      denied there), Mozilla Firefox and Thunderbird download their
      updaters to "%APPDATA%\Mozilla\..." (and fail MISERABLY if
      execution is denied there), extensions like Mozilla Lightning
      install DLLs below "%APPDATA%\Mozilla\..." (and fail MISERABLY
      if execution is denied there), ...

QR: Inline image 1