lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9E1051D7A6DF46D285AA0B573B1A741F@celsius>
Date: Mon, 2 Sep 2013 10:53:05 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <hardfalcon@...dfalcon.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Defense in depth -- the Microsoft way (part
	9): erroneous documentation

> I am truly shocked that seemingly, stuff like this needs to be said in
> the year of 2013.

Completely right!

> I'd have supposed that things like these should be known by *anyone*
> doing anything even remotely similar to software development *at least*
> since the end of the 8.3 filename era 15 years ago.

Again: completely right!

> Are you sure this is real and not a prank? o_O

This is real: see <https://support.microsoft.com/kb/2781197> alias
<http://technet.microsoft.com/security/bulletin/ms13-034> or
<http://seclists.org/fulldisclosure/2013/May/10> for exactly this "stuff".

And dont forget to read <http://seclists.org/fulldisclosure/2013/Aug/75>
as well as <http://seclists.org/fulldisclosure/2013/May/14>


Also see <https://bugzilla.mozilla.org/show_bug.cgi?id=871084>,
<https://bugzilla.mozilla.org/show_bug.cgi?id=786407> and
<https://bugzilla.mozilla.org/show_bug.cgi?id=868746> and notice
especially how a Mozilla developer tries to weazel and ignore
<http://msdn.microsoft.com/ibrary/ms997548.aspx>!


JFTR: Windows is the ONLY system that covers such silly beginners errors
      due to the documented idiosyncrasy of CreateProcess() (see
      <http://msdn.microsoft.com/library/ms682425.aspx).


Finally take a look at the registry subkey

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

of your own Windows installation (if you have one): you'll most probably
find unquoted pathnames in "UninstallString", for example:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SumatraPDF]
"UninstallString"="C:\\Program Files\\SumatraPDF\\uninstall.exe"


regards
Stefan

> regards
> Pascal Ernster

[ fullquote removed ]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ