[<prev] [next>] [day] [month] [year] [list]
Message-ID: <57715D281E53467C8E878E1BBC100AB9@W340>
Date: Mon, 5 Feb 2018 16:24:32 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 50);
Windows Update shoves unsafe crap as "important" updates to
unsuspecting users
Hi @ll,
on all but their latest versions of Windows (which Microsoft ships
with .NET Framework 4.x), Microsoft shoves COMPLETELY NEW versions
of .NET Framework via Windows/Automatic Updates onto the PERSONAL
computers of their unsuspecting users^Wcustomers, even and especially
when those customers^Wpoor victims have NOT A SINGLE application
installed which needs .NET Framework at all, and installs them
without asking or even informing their customers, SILENTLY!
Trustworthy computing? NOPE!
In detail:
* Users of Windows 2000 got .NET Framework 1.1, then 2.0 and 3.0
shoved onto their computers, SILENTLY!
JFTR: .NET Framework 2.0 is NOT an update to .NET Framework 1.x,
but a COMPLETELY new and incompatible version, which gets
installed aside a previous version.
* Users of Windows XP got and users of Windows Embedded POSReady 2009
still get .NET Framework 2.0, then 3.0, 3.5, 3.5.1 and 4.0 shoved
onto computers, SILENTLY!
JFTR: neither Windows 2000 nor Windows XP shipped with any version
of .NET Framework.
Especially with these versions of Windows, pushing
.NET Framework as "Update" is an euphemism.
JFTR: .NET Framework 4.x is NOT an update to any prior version of
.NET Framework, but a COMPLETELY new and incompatible version,
which gets installed aside previous versions.
At least Microsoft continued to use the euphemism "Update".
* Users of Windows Server 2003 and Windows Server 2003 R2 got
.NET Framework 2.0, then 3.0, 3.5, 3.5.1 and 4.0 shoved onto
computers, SILENTLY!
JFTR: Windows Server 2003 shipped with .NET Framework 1.1, and
Windows Server 2003 R2 with both .NET Framework 1.1 and 2.0.
* Users of Windows Vista got, and users of Windows Server 2008
still get .NET Framework 3.5, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.2 and
4.6 shoved onto computers, SILENTLY!
JFTR: both versions of Windows shipped with .NET Framework 3.0,
for which 3.5 may be considered an update.
* Users of Windows 7 as well as users of Windows Server 2008 R2
still get .NET Framework 4.0, 4.0.1, 4.5, 4.5.1, 4.5.2, 4.6,
4.6.1, 4.6.1, 4.7 and 4.7.1 shoved onto computers, SILENTLY!
JFTR: both versions of Windows shipped with .NET Framework 3.5.1.
Every installed version of .NET Framework enlarges the attack
surface of Windows, SIGNIFICANTLY, and contains multiple known
vulnerabilities Microsoft WON'T FIX, for example:
* the (update) installers of EVERY version of .NET are vulnerable
to DLL hijacking and allow to perform escalation of privilege:
see <http://seclists.org/fulldisclosure/2017/Jun/34>
* all versions of .NET Framework are vulnerable to DLL hijacking
and allow a trivial to perform escalation of privilege: see
<http://seclists.org/fulldisclosure/2017/Jul/11>
Mitigation:
~~~~~~~~~~~
To block WU/AU from shoving .NET Framework 4.x SILENTLY to your
computer, see the MSKB articles
<https://support.microsoft.com/kb/982320>,
<https://support.microsoft.com/kb/2721187>,
<https://support.microsoft.com/kb/2971109>,
<https://support.microsoft.com/kb/3133990>,
<https://support.microsoft.com/kb/4024204> and
<https://support.microsoft.com/kb/4052152>: then create the
following *.REG and import it.
--- *.REG ---
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU]
"BlockNetFramework4"=dword:00000001
"BlockNetFramework45"=dword:00000001
"BlockNetFramework451"=dword:00000001
"BlockNetFramework452"=dword:00000001
"BlockNetFramework46"=dword:00000001
"BlockNetFramework461"=dword:00000001
"BlockNetFramework462"=dword:00000001
"BlockNetFramework47"=dword:00000001
"BlockNetFramework471"=dword:00000001
--- EOF ---
To block earlier versions, see the MSKB articles
<https://support.microsoft.com/kb/949160>,
<https://support.microsoft.com/kb/949161> and
<https://support.microsoft.com/kb/959211>.
stay tuned
Stefan Kanthak
PS: Microsoft implemented .NET Framework in Windows NT in a
TOTALLY flawed and wrong way: if done right, it were an
NT subsystem, like the "Subsystem for OS/2", the POSIX
subsystem, the "Subsystem for UNIX Applications", the
"Windows Subsystem for Linux" or Windows itself.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists