lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <57715D281E53467C8E878E1BBC100AB9@W340>
Date: Mon, 5 Feb 2018 16:24:32 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 50);
	Windows Update shoves unsafe crap as "important" updates to
	unsuspecting users

Hi @ll,

on all but their latest versions of Windows (which Microsoft ships
with .NET Framework 4.x), Microsoft shoves COMPLETELY NEW versions
of .NET Framework via Windows/Automatic Updates onto the PERSONAL
computers of their unsuspecting users^Wcustomers, even and especially
when those customers^Wpoor victims have NOT A SINGLE application
installed which needs .NET Framework at all, and installs them
without asking or even informing their customers, SILENTLY!

Trustworthy computing? NOPE!

In detail:

* Users of Windows 2000 got .NET Framework 1.1, then 2.0 and 3.0
  shoved onto their computers, SILENTLY!

JFTR: .NET Framework 2.0 is NOT an update to .NET Framework 1.x,
      but a COMPLETELY new and incompatible version, which gets
      installed aside a previous version.

* Users of Windows XP got and users of Windows Embedded POSReady 2009
  still get .NET Framework 2.0, then 3.0, 3.5, 3.5.1 and 4.0 shoved
  onto computers, SILENTLY!

JFTR: neither Windows 2000 nor Windows XP shipped with any version
      of .NET Framework.
      Especially with these versions of Windows, pushing
      .NET Framework as "Update" is an euphemism.

JFTR: .NET Framework 4.x is NOT an update to any prior version of
      .NET Framework, but a COMPLETELY new and incompatible version,
      which gets installed aside previous versions.
      At least Microsoft continued to use the euphemism "Update".

* Users of Windows Server 2003 and Windows Server 2003 R2 got
  .NET Framework 2.0, then 3.0, 3.5, 3.5.1 and 4.0 shoved onto
  computers, SILENTLY!

JFTR: Windows Server 2003 shipped with .NET Framework 1.1, and
      Windows Server 2003 R2 with both .NET Framework 1.1 and 2.0.

* Users of Windows Vista got, and users of Windows Server 2008
  still get .NET Framework 3.5, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.2 and
  4.6 shoved onto computers, SILENTLY!

JFTR: both versions of Windows shipped with .NET Framework 3.0,
      for which 3.5 may be considered an update.

* Users of Windows 7 as well as users of Windows Server 2008 R2
  still get .NET Framework 4.0, 4.0.1, 4.5, 4.5.1, 4.5.2, 4.6,
  4.6.1, 4.6.1, 4.7 and 4.7.1 shoved onto computers, SILENTLY!

JFTR: both versions of Windows shipped with .NET Framework 3.5.1.


Every installed version of .NET Framework enlarges the attack
surface of Windows, SIGNIFICANTLY, and contains multiple known
vulnerabilities Microsoft WON'T FIX, for example:

* the (update) installers of EVERY version of .NET are vulnerable
  to DLL hijacking and allow to perform escalation of privilege:
  see <http://seclists.org/fulldisclosure/2017/Jun/34>

* all versions of .NET Framework are vulnerable to DLL hijacking
  and allow a trivial to perform escalation of privilege: see
  <http://seclists.org/fulldisclosure/2017/Jul/11>


Mitigation:
~~~~~~~~~~~

To block WU/AU from shoving .NET Framework 4.x SILENTLY to your
computer, see the MSKB articles
<https://support.microsoft.com/kb/982320>,
<https://support.microsoft.com/kb/2721187>,
<https://support.microsoft.com/kb/2971109>,
<https://support.microsoft.com/kb/3133990>,
<https://support.microsoft.com/kb/4024204> and
<https://support.microsoft.com/kb/4052152>: then create the
following *.REG and import it.

--- *.REG ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU]
"BlockNetFramework4"=dword:00000001
"BlockNetFramework45"=dword:00000001
"BlockNetFramework451"=dword:00000001
"BlockNetFramework452"=dword:00000001
"BlockNetFramework46"=dword:00000001
"BlockNetFramework461"=dword:00000001
"BlockNetFramework462"=dword:00000001
"BlockNetFramework47"=dword:00000001
"BlockNetFramework471"=dword:00000001
--- EOF ---

To block earlier versions, see the MSKB articles
<https://support.microsoft.com/kb/949160>,
<https://support.microsoft.com/kb/949161> and
<https://support.microsoft.com/kb/959211>.


stay tuned
Stefan Kanthak


PS: Microsoft implemented .NET Framework in Windows NT in a
    TOTALLY flawed and wrong way: if done right, it were an
    NT subsystem, like the "Subsystem for OS/2", the POSIX
    subsystem, the "Subsystem for UNIX Applications", the
    "Windows Subsystem for Linux" or Windows itself.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ