y) and
CRT applications too!
Additionally see the MSKB article
<https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>
which does NOT even list the MSVCRT 2005 any more!
stay tuned, and FAR AWAY from untrustworthy and insecure software like .NET
Windows
Installer due to non-executable DLLs written in
the %TEMP% directory!
Timeline:
=
2019-07-17first vulnerability report sent to vendor
2019-07-18Intel's PSIRT opens case #2208018370
2019-07-28Intel's PSIRT confirms reported vulnerability
2019-08-01second vulnerability report sent to vendor
stay tuned, and FAR away from executable installers!
Stefan Kanthak
PS: wrapping an MSI installer in an executable self-extractor
is COMPLETE nonsense!
re.org/data/definitions/377.html>,
<https://cwe.mitre.org/data/definitions/379.html>
and <https://capec.mitre.org/data/definitions/29.html>
stay tuned, and FAR AWAY from so-called security products:
their "security" is typically worse than that of the products
they claim
000135
alias STATUS_DLL_NOT_FOUND, which is the expected behaviour
if /DEPENDENTLOADFLAG:0x800 would work as documented and limit
the DLL search path to %SystemRoot%\System32\
stay tuned, and don't trust unverified or incomplete documentation
Stefan Kanthak
etup, every UNPRIVILEGED (non-elevated) program running
under this account can write to %TEMP%\IXP000.tmp, for example a rogue
MSI.dll, and exercise again an "escalation of privilege".
GAME OVER, third time!
stay tuned (and far away from so-called "security solutions")
Stefan Kanthak
printed output.
8. run the command lines to register VBE7.dll, MSOSIP.DLL and
MSOSIPX.dll: notice the message boxes displayed from the
previously built DLLs!
REGSVR32.exe "%ProgramFiles%\vbe7.dll"
REGSVR32.exe "%ProgramFiles%\msosip.dll"
REGSVR32.exe "%Pro
ctice STRICT privilege separation: use your privileged
"Administrator" account (especially the account created during
Windows setup) ONLY for administrative tasks, and COMPLETELY
separate unprivileged user accounts, with elevation requests
DISABLED, for your everyda
~
1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning
"deny execution of files in this directory for everyone,
inheritable to all subdirectories" to the (user's) %TEMP%
directory.
NOTE: this does NOT need administrative privileges!
2
.
01.09.2018 23:18 ..
01.09.2018 23:18 SP3QFE
01.09.2018 23:18 update
01.02.2018 23:2818.808 spmsg.dll
01.02.2018 23:28 234.872 spuninst.exe
ied by the second batch script, executing
their entry point routines with ELEVATED rights: GAME OVER!
Mitigation:
~~~
* DONT use executable installers!
* NEVER run executable installers in unsafe environments!
Fix:
* DUMP executable installers, use *.MSI or *.INF plus *.CAB!
stay tuned
Stefan Kanthak
(especially the account created during
Windows setup) ONLY for administrative tasks, and COMPLETELY
separate unprivileged user accounts, with elevation requests
DISABLED. for your daily/regular work.
stay tuned
Stefan Kanthak
PS: also see <http://seclists.org/bugtraq/2018/Aug/0>
a minefield of 32-bit forwarder DLLs in your "Downloads"
directory;
2. download
<https://download3.vmware.com/software/player/file/VMware-player-12.5.9-7535481.exe>,
and save it in your "Downloads" directory;
3. execute VMware-player-12.5.9-7535481.exe:
e.
Mitigations:
1. DON'T use executable installers; stay far away from such crap!
2. NEVER run executable installers from UNSAFE directories like
"%USERPROFILE%\Downloads\" or "%TEMP%\"
3. Exercise STRICT privilege separation: use your privileged
"Administrator" account (especially the account created during
Windows setup) only for administrative tasks, and a COMPLETELY
separate unprivileged "standard user" account for your own tasks.
stay tuned
Stefan Kanthak
"%USERPROFILE%\Downloads\" or "%TEMP%\"
3. Exercise STRICT privilege separation: use your privileged
"Administrator" account (especially the account created during
Windows setup) only for administrative tasks, and a COMPLETELY
separate unprivileged "standard user" account for your own tasks.
stay tuned
Stefan Kanthak
fy their fully qualified pathname!
Mitigations:
1. DON'T execute executable self-extractors.
2. NEVER execute executable self-extractors with administrative
privileges.
3. extract the payload of the self-extractor with a SAFE and SECURE
unzip.exe into a properly protected d
(via <http://www.office.com/backup>)
from <https://go.microsoft.com/fwlink/p/?LinkID=403713>
3. notice the message boxes displayed from the DLLs saved in
%TEMP%!
stay tuned
Stefan Kanthak
PS: be sure to read
<https://portal.msrc.microsoft.com/en-US/security-guidance/a
planting are treated as won't fix.
OUCH!
The MSRC also ignores the fact that
CHDIR ""
START
is equivalent to adding "" in front of the PATH!
JFTR: loading of DLLs from the CWD can be disabled via
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Ma
"Jeffrey Walton" <noloa...@gmail.com> wrote:
> On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak <stefan.kant...@nexgo.de>
> wrote:
[ http://seclists.org/fulldisclosure/2018/Feb/33 ]
> Not sure if this is related, but:
> https://winbuzzer.com/2018/02/14/m
Despite numerous mails sent to <sec...@microsoft.com> in the last years,
and numerous replies "we'll forward this to the product groups", nothing
happens at all.
stay tuned
Stefan Kanthak
[*] catalog.update.microsoft.com is redirected to
catalog.update.microsoft.com/v7/site
logs.technet.microsoft.com/srd/2014/05/13/load-library-safely/>
... which their own developers and their QA but seem to ignore!
See <https://bugs.chromium.org/p/project-zero/issues/detail?id=440>
for the same vulnerability in another Microsoft product!
stay tuned
Stefan Kanthak
Timeline:
ERROR_SXS_CANT_GEN_ACTCTX
Replacing US-ASCII with UTF-7, ISO-8859-1, Windows-1252 or any
other valid XML encoding except UTF-8 yields the same result.
stay tuned
Stefan Kanthak
/sentinel.html>,
then download
<https://skanthak.homepage.t-online.de/skanthak/download/SENTINEL.DLL>
and save it in an arbitrary directory;
2. save the following batch script in the same directory:
--- IIF.CMD ---
:WAIT
@If Not Exist "%TEMP%\IIF.tmp&quo
}
// the return value is only used for PROCESS_CREATION_QUERY,
// all other conditions are ignored
return ntStatus;
}
--- EOF ---
stay tuned
Stefan Kanthak
Timeline:
~
2017-03-10sent vulnerability report to vendor
2017-03-10reply from vendor: MSRC case 37727 opened
20
information.
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%";
use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories&q
ry" (which is writable for everyone) too.
And one more:
6. the OpenSSL libraries shipped are from version 1.0.2d and have
multiple vulnerabilities which have beed fixed in version 1.0.2j.
stay tuned
Stefan Kanthak
Timeline:
~
2016-08-29vulnerability report sent to vendor
84 860 dec Setup SelfUpdate handler update NOT
required: Current version: 7.6.7600.320, required version:
7.6.7600.320
See <http://home.arcor.de/skanthak/slipstream.html> for instructions
for a fix and some more information!
stay tuned
Stefan Kanthak
[°] since this happens during the
bit forwarder DLLs are loaded in the 64-bit
process and that their exports/forwards are processed properly!
Their DllMain() extry points are but NOT called (if they were
you'd see some message boxes)!
stay tuned
Stefan Kanthak
PS: the test whether 64-bit forwarder DLLs placed in %windir% are
loaded in the 32-bit process %windir%\SysWOW64\regedit.exe is
left as an exercise to the reader.
(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
<https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".
stay tuned
Stefan Kanthak
[*]
~~
* Don't use "protected" administrator accounts, NEVER!
* Disable the default user account created during Windows setup,
or demote it to a standard user account.
* Always use standard user accounts with DISABLED UAC-elevation.
* Practice STRICT privilege separation: UAC is a VERY BA
to your own host with UNC paths to
any host reachable from your network where you placed some
malicious DLLs to get pwned instead.
5. Execute the downloaded installers.
PWNED!
6. Add the element from poc#5 to achieve remote code
execution with (user-assisted) escalation of privilege.
7. Execute the downloaded installers.
PWNED²!
stay tuned
Stefan Kanthak
for the target OS' native
installer instead!
See <http://home.arcor.de/skanthak/!execute.html>
as well as <http://home.arcor.de/skanthak/sentinel.html> for the long
sad story of these vulnerabilities.
stay tuned
Stefan Kanthak
Timeline:
~
2016-02-12vulnerability re
or the target OS' native
installer instead!
See <http://home.arcor.de/skanthak/!execute.html>
as well as <http://home.arcor.de/skanthak/sentinel.html> for the long
sad story of these vulnerabilities.
stay tuned
Stefan Kanthak
Timeline:
~
2015-12-23vulnerability report sent
ey load(ed) and execute(d) later with elevated privileges.
An unprivileged user can/could overwrite both files between creation
and execution and gain elevation of privilege.
See <https://cwe.mitre.org/data/definitions/379.html> for this type
of well-known and well-documented vulnerability!
s
brary/security/MS16-041> and
<https://www.securify.nl/advisory/SFY20160201/_net_framework_4_6_allows_side_loading_of_windows_api_set_dll.html>
for a similar vulnerability.
stay tuned
Stefan Kanthak
Timeline:
~
2016-06-01sent vulnerability report to vendor plus US-CERT
web site and save them in your "Downloads" directory;
3. run the (un)installers downloaded in step 2 and notice the message
boxes displayed from the DLLs placed in step 1.
PWNED!
JFTR: since the (un)installers are 32-bit programs and (un)install
both the 32-bit and 64-bit versio
nerable executable installers!
PWNED!
Mitigation(s):
~~
0. don't use executable installers. DUMP THEM, NOW!
1. see <http://home.arcor.de/skanthak/!execute.html> as well as
<http://home.arcor.de/skanthak/SAFER.html>.
2. stay away from Mozilla's vulnerable instal
ns of this vulnerable
executable installer for Firefox and Firefox ESR.
See <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>
why you should NEVER name any executable (installer) setup.exe!
stay tuned
Stefan Kanthak
PS: Mozilla fixed the same vulnerabilities in their executable self-
opy it as SetupAPI.dll, COMRes.dll and ClbCatQ.dll;
3. Download <http://home.arcor.de/skanthak/download/WTSAPI32.DLL>,
<http://home.arcor.de/skanthak/download/UXTHEME.DLL>,
<http://home.arcor.de/skanthak/download/RICHED20.DLL> and
save
"Securify B.V." wrote:
>
> Windows Mail Find People DLL side loading vulnerability
>
> Yorick Koster, September 2015
[...]
> - CVE-2016-0100
> -
e/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/32> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S e
closure/2015/Dec/33 plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!
regards
Stefan Kanthak
PS: I really LOVE (security) software with such trivial beginner's
e
t;http://seclists.org/fulldisclosure/2015/Dec/32> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!
stay tuned
Stefan Kanthak
Timeline:
~
2015-12-24se
sclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!
stay tuned
Stefan Kanthak
Timeline:
~
2015-12-28report sent t
ChromeRecovery.exe
For this well-known (trivial, easy to avoid, easy to detect and
easy to fix) beginner's error see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> plus
<https://cwe.mitre.org/data/definitions/426.html> and
uot;: Windows
doesn't place executables in these directories and beyond.
See <http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_wh
"Jernej Simončič" <jernej|s...@eternallybored.org> wrote:
> On 23. februar 2016, 17:37:54, Stefan Kanthak wrote:
>
>> Proof of concept/demonstration:
>> ~~~
>[snip]
>> PWNED!
>
> Can't reproduce - tested on Windo
ork/topics/security/cpujan2016-2367955.html>
stay tuned
Stefan Kanthak
rary/ms682586.aspx> plus
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>:
| To ensure secure loading of libraries
| * Use proper DLL search order.
| * Always specify the fully qualified path when the library location is
~~
| constant.
regards
Stefan K
ws
doesn't place executables in these directories and beyond.
See <http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf&g
//seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as
<http://home.arcor.de/skanthak/!execute.html> and
<http://home.arcor.de/skanthak/sentinel.html> for details about
this well-known and well-documented BEGINNER'S error!
regards
S
/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished
<http://home.arcor.de/skanthak/!execute.html> for more details and why
executable installers (and self-extractors too) are bad and should be
dum
Mitigation:
~~~
use SAFER alias Software Restriction Policies and deny execution
everywhere except %SystemRoot% and below and %ProgramFiles% and
below.
See <http://home.arcor.de/skanthak/SAFER.html> and/or
<http://mechbgon.com/srp/index.html> for instructions.
stay tuned
Stefan Kanthak
t; alias %ProgramData%" and "%PUBLIC%": Windows
doesn't place executables in these directories and beyond.
See <http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_file
ure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished
<http://home.arcor.de/skanthak/!execute.html> for more details and why
executable
l>,
<https://capec.mitre.org/data/definitions/29.html> ...
See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/sentinel.html>
l, on
Windows Vista and newer versions of Windows additionally Version.dll
into %TEMP%\is-*.tmp. These DLLs are loaded from the unpacked
%TEMP%\is-*.tmp\Emsisoft*.tmp too.
PWNED again.
stay tuned
Stefan Kanthak
PS: I really LOVE (security) software with such trivial beginner's
er
d be
dumped.
Kaspersky Lab published a security advisory 2015-12-23
<https://support.kaspersky.com/vulnerability.aspx?el=12430#231215>
after they made updated versions of their utilities available on
<https://support.kaspersky.com/viruses/utility>
stay tuned
Stefan Kanthak
ed a security advisory
<https://www.f-secure.com/en/web/labs_global/fsc-2015-4>
and made an updated version of their online scanner available on
<https://www.f-secure.com/en/web/home_global/online-scanner>
CAVEAT: F-Secure's fix works only on Windows Vista and newer versions;
the vulnerability is still present on earlier versions of
Windows!
stay tuned
Stefan Kanthak
d-deprecation>
Especially note that Rapid7 removed the now deprecated ScanNowUPnP.exe
and advises all users to remove it from any system that still has it.
stay tuned
Stefan Kanthak
[°] <http://seclists.org/fulldisclosure/2015/Nov/101>
['] <http://seclists.org/bugtraq/2015/Dec/112>
[²] <http://seclists.org/bugtraq/2015/Dec/61>
lt;http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>
or <https://books.google.de/books?isbn=1437914926>
were/are vulnerable unter Windows
NT 5.x resp. Windows Embedded POSReady 2009, but ain't vulnerable
any more in all newer versions of Windows.
Conclusion: executable installers which link to "unknown DLLs" are in
general unsafe for normal users.
The only SAFE option for general use is: DUMP executable installers.
stay tuned
Stefan Kanthak
ownloads"
directory;
4. notice the message boxes displayed from WTSAPI32.dll, UXTheme.dll
and/or RichEd20.dll placed in step 1.
stay tuned
Stefan Kanthak
Timeline:
~
2015-11-15vulnerability report sent to vendor
2015-11-16vendor acknowledges receipt
2015-11-17vend
bilities see Intel's Security Bulletin published today:
<https://service.mcafee.com/FAQDocument.aspx?lc=1033=TS102462>
stay tuned
Stefan Kanthak
directories and beyond.
See <http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>
or <https://books.
(D;OIIO;WP;;;WD)" meaning "deny execution of
files in this directory for everyone, inheritable to all files
in all subdirectories" (use CACLS.EXE /SDDL for example);
* use "software restriction policies" resp. AppLocker.
stay tuned
Stefan Kanthak
PS: Mozilla
snt work at
all in standard user accounts when UAC is set to "never elevate".
This is another clear violation of Microsofts own UX guidelines!
stay tuned
Stefan Kanthak
PS: the script <http://home.arcor.de/skanthak/download/UAC.INF> adds
this and several other missing registry entries which enable
"Run as administrator" and "Run as different user" for quite some
file types.
hat you create a
| standard account and use it for your everyday computing. If you create
| new user accounts, you should also make them standard accounts. Using
| standard accounts will help keep your computer more secure.
> [*] see <http://home.arcor.de/skanthak/sentinel.html>
alified pathname %SystemRoot%\RegEdit.exe
2. Define ACLUI.DLL as "known DLL":
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\KnownDLLs]
"aclui"="ACLUI.DLL"
stay tuned
Stefan Kanthak
[*] see <http://home.arcor.de/skanthak/sentinel.html>
icrosoft download center offers plenty of them) with a
command line of your choice, for example
CAPICOM-KB931906-v2102.exe /C:"%COMSPEC% /K Title PWNED!"
Due to UACs installer detection the given command line is executed
with full administrative privileges.
stay tuned
Stefan Kanthak
Microsoft introduced
the loading of virtual OEM device drivers during Windows setup, see
https://support.microsoft.com/en-us/kb/896453
AFAIK at least HP and Dell used this method to deploy [F6] drivers
embedded in their BIOS.
[...]
stay tuned
Stefan Kanthak
Mario Vilas mvi...@gmail.com wrote:
W^X applies to memory protection, completely irrelevant here.
I recommend to revisit elementary school and start to learn reading!
http://seclists.org/bugtraq/2015/Aug/8
| JFTR: current software separates code from data in virtual memory and
| uses
://seclists.org/fulldisclosure/2009/Sep/0
JFTR: Windows Vista and later include NEWER versions of these DLLs,
there is absolutely no need to redistribute an ancient version
in your product at all (especially after Windows XP and 2003
have reached end-of-life)!
stay tuned
Stefan Kanthak
Ansgar Wiechers bugt...@planetcobalt.net wrote:
On 2015-08-05 Stefan Kanthak wrote:
Mario Vilas mvi...@gmail.com wrote:
If this is the case then the problem is one of bad file permissions,
not the location.
Incidentally, many other browsers and tons of software also store
executable code
privilege escalation here?
Burn your strawmen somewehre else.
Stefan
PS: STOP top-posting, NOW!
On Thu, Aug 6, 2015 at 7:30 PM, Stefan Kanthak stefan.kant...@nexgo.de
wrote:
Mario Vilas mvi...@gmail.com wrote:
If it can only be written by your own user, what would be the
security boundary being
of executables in write-protected locations.
ie. %ProgramFiles% or /usr/bin, where only privileged users can write.
regards
Stefan
PS: top-posting is EVIL too!
On Wed, Aug 5, 2015 at 5:33 PM, Stefan Kanthak stefan.kant...@nexgo.de
wrote:
Mario Vilas mvi...@gmail.com wrote:
%APPDATA% is within
about this issue for the time being.
JFTR: top posting is a bad habit too!
On Tue, Aug 4, 2015 at 3:22 PM, Stefan Kanthak stefan.kant...@nexgo.de
wrote:
Hi @ll,
Mozilla Thunderbird 38 and newer installs and activates per default
the 'Lightning' extension.
Since extensions live
and) Thunderbird and subject to the
restrictions imposed by these programs for non-XUL/chrome Javascript.
Mitigation(s):
~~
Disable profile local installation of extensions in Mozilla products,
enable ONLY application global installation of extensions.
stay tuned
Stefan Kanthak
software!
Stefan Kanthak
and Thunderbird.
According to the 20+ years old Designed for Windows guidelines!
shared components go to %CommonProgramFiles%\vendor\component.
JFTR: are you kidding?
(why) are Gecko, NSS, XUL, ICU etc. NO shared components?
stay tuned
Stefan Kanthak
['] Windows SetupAPI exists since
when notified
over and over again!
Defense in depth?
Nope!
Software engineering?
Nope!
BRAINDEAD behaviour of Windows CreateProcess*() functions?
Yes, of course, always!
Taking care for the safety and security of their customers systems?
Nope!
stay tuned (and far away from crapware!)
Stefan
| accounts for other people on your PC, it's a good idea to give
| them standard accounts.
stay tuned
Stefan Kanthak
. the pathname of the found executable gets quoted if it contains
a space.
The documentation of the function GetCommandLine()
https://msdn.microsoft.com/en-us/library/ms683156.aspx
but misses this completely!
Stay tuned!
regards
Stefan Kanthak
['] as soon as a name contains a single
[*] without
dissecting its *.MSI files.
Until Apple's developers, their QA and their managers start to
develop a sense for their customers safety and security and
due diligence: stay away from Apple's (Windows) software!
stay tuned
Stefan Kanthak
[*] https://cwe.mitre.org/data/definitions/428.html
registering standard verbs, do not set the default value
| for the Open key. The default value contains the display string
| on the menu. The operating system supplies this string for
| standard verbs.
regards
Stefan Kanthak
PS: Windows 7, and of course Windows 8, Windows 8.1
Stefan Kanthak
dir\program.exe name
c:\program files\sub dir\program name.exe
JFTR: without this transformation splitting of the command line
into the argv vector would give wrong results ... in
presense of CreateProcess*() braindead behaviour!
Stay tuned!
regards
Stefan Kanthak
PS
your changes and import the file into the registry:
REGEDIT.EXE /S OUTLOOK.REG
Start SPAD again and find Microsoft Office Outlook now displayed as
mail program.
enjoy
Stefan Kanthak
[*] at least Windows 7, but I assume this behaviour was introcuded
with Windows Vista; in earlier versions
AppInit_DLLs are only supported on Windows NT
(see https://support.microsoft.com/kb/134655) a braindead
developer choose not to use a REG_MULTI_SZ value (avoiding
the need to interpret spaces as separator and thus supporting
long filenames).
have fun
Stefan Kanthak
Cf. http://support.microsoft.com/kb/24671743 and
http://support.microsoft.com/kb/2565063 alias
http://www.microsoft.com/technet/security/bulletin/ms11-025
Will Apple's developers and their QA EVER learn how to use filenames
with embedded spaces properly?
regards
Stefan Kanthak
to
develop a sense for safety and security:
stay away from their (Windows) software!
regards
Stefan Kanthak
Timeline:
~
2014-06-06informed vendor
2014-06-06vendor sent automated response
... no more reaction
2014-07-03requested status
... no answer
://www.howsmyssl.com/,
https://www.ssllabs.com/ssltest/viewMyClient.html or
https://cc.dcsec.uni-hannover.de/ with Internet Explorer 8 and
later after the reboot.
have fun
Stefan Kanthak
JFTR: IPsec is able to use perfect forward secrecy for MANY years,
see http://support.microsoft.com/kb/252735
the rogue
programs C:\Program.exe or C:\Program Files\Microsoft.exe
regards
Stefan Kanthak
, Protected Administrator should be considered the equivalent
| of Administrator.
regards
Stefan Kanthak
and upgrade
to Windows Live Mail 2012 ASAP!
regards
Stefan Kanthak
PS: the associations for .eml and .nws DONT show this beginners error:
WindowsLiveMail.Email.1=C:\Program Files (x86)\Windows
Live\Mail\wlmail.exe /eml:%1
WindowsLiveMail.News.1=C:\Program Files (x86)\Windows
Live\Mail
4.6.1.0
regards
Stefan Kanthak
PS: the obvious and trivial fix: edit the 2 erroneous command lines and
add the missing quotes. But dont forget to fix them after every update
of Apple's crap for Windows.
them properly.
If you detect such silly beginners errors: report them and get them fixed.
If the vendor does not fix them: trash the trash!
regards
Stefan Kanthak
PS: for static detection of these silly beginners errors download and
run http://home.arcor.de/skanthak/download/SLOPPY.CMD
with the decision between tightening up
the behavior of an API vs. breaking customer applications that people
regularly use, what would your choice be?
I dont need to choose!
There was no compatibility to break.
Stefan
Original message
From: Stefan Kanthak
Date:07/30/2014 3:19 AM
not take into account, again) WinExec()
supports under Win32 exact the same semantics as under Win16.
Stefan
Original message
From: Stefan Kanthak
Date:07/30/2014 8:26 AM (GMT-08:00)
To: Joe Souza , Michael Cramer , Gynvael Coldwind
Cc: fulldisclosure , Brandon Perry , bugtraq
point.
Really?
Where did I write that CreateProcess() should guess how many parts of
the command line form the path to the application?
You still dont get the point, you dont even read what I wrote.
Stefan
-Original Message-
From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
Sent
, and you have
to use sudo explictly.
On Windows, all user accounts created during setup are administrator
accounts which show the above mentioned behaviour.
Is this enough of a difference?
Sent from my Surface Pro 3
ARGH!
I don't need any advertising!
Stefan
From: Stefan Kanthak
1 - 100 of 173 matches
Mail list logo