Home page logo
/

bugtraq logo Bugtraq mailing list archives

Defense in depth -- the Microsoft way (part 12): NOOP security fixes
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Sat, 19 Oct 2013 18:35:05 +0200

Hi @ll,

with <http://technet.microsoft.com/security/bulletin/ms12-034>
Microsoft addressed CVE-2012-0181 for Windows NT 5.x; see
<https://support.microsoft.com/kb/2686509> for details.

BUT: the hotfix KB2686509 does NOT fix anything!

Instead it just checks ONCE(!) whether all the "keyboard layout DLLs"
registered beneath

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]
"LayoutFile"="KBD*.DLL"

are either registered with their fully-qualified pathname or exist in
%SystemRoot%\System32.

This STATIC, ONE TIME check but does NOT cure the problem, it only checks
for the symptom!

If Microsoft would REALLY care about security, the hoxfix KB2686509 (or
better: Windows setup) would (re)write all references to filenames with
their fully-qualified pathname, i.e. as

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]
"LayoutFile"="%SystemRoot%\\System32\\KBD*.DLL"


Timeline:
~~~~~~~~~

2004-08-23    informed vendor about still unfixed principal security
              flaws due to unqualified filenames and Windows' EXE/DLL
              search/load order after release of SP2 for Windows XP

JFTR: Microsoft started their "trustworthy computing" initiative in
      2001, and XP SP2 was supposed to eliminate many of the errors
      Microsoft made in previous versions of NT.

2004-08-25    vendor replies "no vulnerabilities", but forwards report
              to product groups/teams

2004-09-02    vendor still wont see vulnerabilities, asks for POC(s)

...

2008-05-30    vendors publishes
              <http://technet.microsoft.com/security/advisory/953818>

2009-04-15    vendor publishes <http://support.microsoft.com/kb/959426>
              alias
              <http://technet.microsoft.com/security/bulletin/ms09-015>
              plus
              <http://technet.microsoft.com/security/bulletin/ms09-014>

2010-08-23    vendor publishes
              <http://technet.microsoft.com/security/advisory/2269637>
              and updates it over and over again since then

2012-05-08    vendor publishes <http://support.microsoft.com/kb/2686509>
              alias
              <http://technet.microsoft.com/security/bulletin/ms12-034>


stay tuned
Stefan Kanthak


PS: if Microsoft weren't such sloppy coders and had a QA department this
    whole class of vulnerabilities would not exist: the path to EVERY
    executable in Windows is well-known, all references can use the
    fully-qualified, absolute pathname.

    <http://home.arcor.de/skanthak/download/XP_FIXIT.INF> fixes all the
    2500+ unqualified (plus not properly quoted long) filenames left in
    the registry of Windows XP SP3 AFTER fixing the other 2000+ unqualified
    (plus not properly quoted long) filenames in the \i386\HIVE*.INF and
    \i386\DMREG.INF (from which the initial registry is built) on the
    installation media.

    <http://home.arcor.de/skanthak/download/W7_ERROR.INF> documents the
    4500+ unqualified filenames in the registry of Windows 7 Professional
    with SP1, and <http://home.arcor.de/skanthak/download/W7_ISSUE.INF>
    documents some other issues.


  By Date           By Thread  

Current thread:
  • Defense in depth -- the Microsoft way (part 12): NOOP security fixes Stefan Kanthak (Oct 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]