lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <16A49D646C82488DBAF5903DAA180DC2@H270>
Date: Mon, 28 Jul 2025 18:22:02 +0200
From: Stefan Kanthak via Fulldisclosure <fulldisclosure@...lists.org>
To: <fulldisclosure@...lists.org>
Cc: Microsoft Security Response Center <secure@...rosoft.com>
Subject: [FD] Defense in depth -- the Microsoft way (part 90): "Digital
	Signature" property sheet missing without "Read Extended
	Attributes" access permission

Hi @ll,

about 35 years ago Microsoft began to implement their "New Technology
File System" (NTFS) for their upcoming Windows NT operating system.
NTFS supports the extended attributes of the HPFS file system which
Microsoft and IBM had developed for their OS/2 operating system before.
NTFS' initial version, released with Windows NT 3.1 in 1993, had no
access control; this was added for Windows NT 3.5, released one year
later, with separate access permissions for reading or writing data,
attributes and extended attributes
(<https://technet.microsoft.com/en-us/library/cc783530.aspx>).

About 30 years ago Microsoft introduced "Authenticode" to sign portable
executable image files (.AX, .DLL, .EXE, .OCX, .SYS, ...), cabinet
archive files (.CAB, .MSU, ...) and installer package files (.MSI, .MSP,
...) using X.509 digital certificates.
Authenticode signatures are embedded into the files' data.

At the same time Microsoft replaced the file manager as well as the
program manager shipped with their Windows operating systems by
"Windows Explorer", the graphical shell of Windows since then.
For files with embedded Authenticode signature its "Properties" shell
extension is supposed to show a property sheet "Digital Signature".

This but fails unless the "Read Extended Attributes" permission is
granted, despite this permission is NOT required to read the files'
data including any Authenticode signature.

stay tuned, and far away from bug-riddled software
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ