lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20060304035619.24688.qmail@securityfocus.com>
Date: 4 Mar 2006 03:56:19 -0000
From: redxii1234@...mail.com
To: bugtraq@...urityfocus.com
Subject: AVG 7 granting Everyone Full Control to updated files... even its
 drivers


There is more here: http://www.dslreports.com/forum/remark,15601404

Basically, a first time install of AVG 7 will have default permissions. \Program Files\Grisoft\AVG Free has inherited permissions from \Program Files. This is preferred, because lower privileged accounts can't damage it.

Once any files are updated, the permissions are changed to "Everyone" with "Full Control" on the updated files, and will change the owner to whomever is logged in. Even limited users become owners. That does not stop at \Program Files\Grisoft\AVG Free, it will even do that to AVG's drivers in %windir%\system32\drivers.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ