| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3E11D5B2B951455081EE006D2E2E61F7@celsius>
Date: Sat, 19 Oct 2013 18:35:05 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Defense in depth -- the Microsoft way (part 12):
NOOP security fixes
Hi @ll,
with <http://technet.microsoft.com/security/bulletin/ms12-034>
Microsoft addressed CVE-2012-0181 for Windows NT 5.x; see
<https://support.microsoft.com/kb/2686509> for details.
BUT: the hotfix KB2686509 does NOT fix anything!
Instead it just checks ONCE(!) whether all the "keyboard layout DLLs"
registered beneath
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]
"LayoutFile"="KBD*.DLL"
are either registered with their fully-qualified pathname or exist in
%SystemRoot%\System32.
This STATIC, ONE TIME check but does NOT cure the problem, it only checks
for the symptom!
If Microsoft would REALLY care about security, the hoxfix KB2686509 (or
better: Windows setup) would (re)write all references to filenames with
their fully-qualified pathname, i.e. as
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]
"LayoutFile"="%SystemRoot%\\System32\\KBD*.DLL"
Timeline:
~~~~~~~~~
2004-08-23 informed vendor about still unfixed principal security
flaws due to unqualified filenames and Windows' EXE/DLL
search/load order after release of SP2 for Windows XP
JFTR: Microsoft started their "trustworthy computing" initiative in
2001, and XP SP2 was supposed to eliminate many of the errors
Microsoft made in previous versions of NT.
2004-08-25 vendor replies "no vulnerabilities", but forwards report
to product groups/teams
2004-09-02 vendor still wont see vulnerabilities, asks for POC(s)
...
2008-05-30 vendors publishes
<http://technet.microsoft.com/security/advisory/953818>
2009-04-15 vendor publishes <http://support.microsoft.com/kb/959426>
alias
<http://technet.microsoft.com/security/bulletin/ms09-015>
plus
<http://technet.microsoft.com/security/bulletin/ms09-014>
2010-08-23 vendor publishes
<http://technet.microsoft.com/security/advisory/2269637>
and updates it over and over again since then
2012-05-08 vendor publishes <http://support.microsoft.com/kb/2686509>
alias
<http://technet.microsoft.com/security/bulletin/ms12-034>
stay tuned
Stefan Kanthak
PS: if Microsoft weren't such sloppy coders and had a QA department this
whole class of vulnerabilities would not exist: the path to EVERY
executable in Windows is well-known, all references can use the
fully-qualified, absolute pathname.
<http://home.arcor.de/skanthak/download/XP_FIXIT.INF> fixes all the
2500+ unqualified (plus not properly quoted long) filenames left in
the registry of Windows XP SP3 AFTER fixing the other 2000+ unqualified
(plus not properly quoted long) filenames in the \i386\HIVE*.INF and
\i386\DMREG.INF (from which the initial registry is built) on the
installation media.
<http://home.arcor.de/skanthak/download/W7_ERROR.INF> documents the
4500+ unqualified filenames in the registry of Windows 7 Professional
with SP1, and <http://home.arcor.de/skanthak/download/W7_ISSUE.INF>
documents some other issues.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists