[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CC6B81F6FC0B49E4895248CB26FFAFEE@W340>
Date: Wed, 31 Dec 2014 00:38:56 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Defense in depth -- the Microsoft way (part 26): "Set Program Access and Computer Defaults" hides applications like Outlook
Hi @ll,
in order to prevent the possible execution of a rogue program like
"C:\Program.exe" or "C:\Program Files\Microsoft.exe", on x64 also
"C:\Program Files.exe" or "C:\Program Files (x86)\Microsoft.exe",
due to the beginner's error of using unquoted pathnames containing
spaces (see <https://cwe.mitre.org/data/definitions/428.html>),
Windows' [*] "Set Program Access and Computer Defaults" (SPAD, see
<http://msdn.microsoft.com/library/cc144162.aspx>) hides programs
that are registered with such erroneous and vulnerable command lines.
For example Microsoft Outlook 2007, Microsoft Outlook 2010 as well as
Microsoft Outlook 2013.
If you have one of these versions of Microsoft Outlook installed but
can't configure it with SPAD, export its registry entries with the
erroneous and vulnerable command lines into a file OUTLOOK.REG:
REGEDIT.EXE /A OUTLOOK.REG "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo"
The file OUTLOOK.REG will look like this (the wildcard ? varies with
your version of Outlook):
--- OUTLOOK.REG ---
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo]
"IconsVisible"=dword:00000001
"HideIconsCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadhideicons"
"ShowIconsCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadshowicons"
"ReinstallCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadreinstall"
--- EOF ---
Open the file with your favorite editor and insert the string \"
before and after (the 3 occurences of) the pathname
C:\\Program Files\\Microsoft Office\\OFFICE1#\\OUTLOOK.EXE
The corrected file should look like this:
--- OUTLOOK.REG ---
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo]
"IconsVisible"=dword:00000001
"HideIconsCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadhideicons"
"ShowIconsCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadshowicons"
"ReinstallCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadreinstall"
--- EOF ---
Save your changes and import the file into the registry:
REGEDIT.EXE /S OUTLOOK.REG
Start SPAD again and find "Microsoft Office Outlook" now displayed as
mail program.
enjoy
Stefan Kanthak
[*] at least Windows 7, but I assume this behaviour was introcuded
with Windows Vista; in earlier versions of Windows SPAD but
displays applications with erroneous and vulnerable command lines
and runs rogue programs!
PS: will MSFT ever afford a QA that can find such bloody trivial
beginner's errors?
Powered by blists - more mailing lists