lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 Oct 2013 18:35:05 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <bugtraq@...urityfocus.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Defense in depth -- the Microsoft way (part 12): NOOP security fixes Hi @ll, with <http://technet.microsoft.com/security/bulletin/ms12-034> Microsoft addressed CVE-2012-0181 for Windows NT 5.x; see <https://support.microsoft.com/kb/2686509> for details. BUT: the hotfix KB2686509 does NOT fix anything! Instead it just checks ONCE(!) whether all the "keyboard layout DLLs" registered beneath [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>] "LayoutFile"="KBD*.DLL" are either registered with their fully-qualified pathname or exist in %SystemRoot%\System32. This STATIC, ONE TIME check but does NOT cure the problem, it only checks for the symptom! If Microsoft would REALLY care about security, the hoxfix KB2686509 (or better: Windows setup) would (re)write all references to filenames with their fully-qualified pathname, i.e. as [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>] "LayoutFile"="%SystemRoot%\\System32\\KBD*.DLL" Timeline: ~~~~~~~~~ 2004-08-23 informed vendor about still unfixed principal security flaws due to unqualified filenames and Windows' EXE/DLL search/load order after release of SP2 for Windows XP JFTR: Microsoft started their "trustworthy computing" initiative in 2001, and XP SP2 was supposed to eliminate many of the errors Microsoft made in previous versions of NT. 2004-08-25 vendor replies "no vulnerabilities", but forwards report to product groups/teams 2004-09-02 vendor still wont see vulnerabilities, asks for POC(s) ... 2008-05-30 vendors publishes <http://technet.microsoft.com/security/advisory/953818> 2009-04-15 vendor publishes <http://support.microsoft.com/kb/959426> alias <http://technet.microsoft.com/security/bulletin/ms09-015> plus <http://technet.microsoft.com/security/bulletin/ms09-014> 2010-08-23 vendor publishes <http://technet.microsoft.com/security/advisory/2269637> and updates it over and over again since then 2012-05-08 vendor publishes <http://support.microsoft.com/kb/2686509> alias <http://technet.microsoft.com/security/bulletin/ms12-034> stay tuned Stefan Kanthak PS: if Microsoft weren't such sloppy coders and had a QA department this whole class of vulnerabilities would not exist: the path to EVERY executable in Windows is well-known, all references can use the fully-qualified, absolute pathname. <http://home.arcor.de/skanthak/download/XP_FIXIT.INF> fixes all the 2500+ unqualified (plus not properly quoted long) filenames left in the registry of Windows XP SP3 AFTER fixing the other 2000+ unqualified (plus not properly quoted long) filenames in the \i386\HIVE*.INF and \i386\DMREG.INF (from which the initial registry is built) on the installation media. <http://home.arcor.de/skanthak/download/W7_ERROR.INF> documents the 4500+ unqualified filenames in the registry of Windows 7 Professional with SP1, and <http://home.arcor.de/skanthak/download/W7_ISSUE.INF> documents some other issues. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists