Full Disclosure mailing list archives
Re: Gates: 'You don't need perfect code' forgood security
From: "Lan Guy" <rlanguy () hotmail com>
Date: Mon, 3 Nov 2003 10:37:50 +0200
Frank More to the point, not many people have gone through the MS OPK (OEM Pre-Install Kit) to see exactly how "modified" one can make a windows build. There is also a shortcut for the default Program Files directory (if it was changed in Install) I can't find it right now. And using TweakUI from the Windows XP Resource kit, there are uite a few unique customisations one can do too. http://www.microsoft.com/mspress/books/sampchap/6232.asp (and its continuing page) is 1 example of the info it contains. like being able to modify the location of all the users "special folders" however they still appear as virtual links like %USERPROFILE%\My documents . You can also hide drives from the gui, but I have never had to do that yet. Lan Guy ----- Original Message ----- From: "Frank Knobbe" <frank () knobbe us> To: <Valdis.Kletnieks () vt edu> Cc: <nick () virus-l demon co uk>; "Full Disclosure" <full-disclosure () lists netsys com> Sent: Monday, November 03, 2003 6:50 AM Subject: Re: [Full-disclosure] Gates: 'You don't need perfect code' forgood security On Sun, 2003-11-02 at 21:09, Valdis.Kletnieks () vt edu wrote:
On Mon, 03 Nov 2003 12:23:06 +1300, Nick FitzGerald
<nick () virus-l demon co uk> said:
Finding the actual location of the startup folder was beyond the exploit because it was running in an environment that could not query the registry or other system APIs that would reveal the location.
Actually, I think it was beyond the knowledge of the exploit writer. :)
And for bonus points, explain how you fix the scheme so the poor sysadmin
who
has to run stuff at startup is able to find the folder, but an exploit
running
with 'administrator' or 'system' can't find it?
Sure. %SYSTEMROOT%. %WINDIR%, or %USERPROFILE% should work just fine for most cases of scripting and such. Of course viruses and other malware can use the same environment vars. I guess the writers of these annoyances didn't think that far.... lucky us :) Regards, Frank _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Gates: 'You don't need perfect code' for good security, (continued)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Dave Howe (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Frank Knobbe (Nov 02)
- Re: Gates: 'You don't need perfect code' forgood security Lan Guy (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Darren Reed (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Cedric Blancher (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 03)
- Re: Re: Gates: 'You don't need perfect code' for good security Gary E. Miller (Oct 31)
- Re: Re: Gates: 'You don't need perfect code' for good security Geoincidents (Oct 31)
- Re: Re: Gates: 'You don't need perfect code' for good security Gary E. Miller (Oct 31)
- Re: Re: Gates: 'You don't need perfect code' for good security Geoincidents (Oct 31)