"Shawn McMahon" <sybergh...@gmail.com> wrote:
> On Wed, Dec 23, 2015 at 7:13 AM, Stefan Kanthak <stefan.kant...@nexgo.de>
> wrote:
>
>> Hi @ll,
>>
>> F-Secure's online virus scanner F-SecureOnlineScanner.exe, available
>> via <https://www
ed a security advisory
<https://www.f-secure.com/en/web/labs_global/fsc-2015-4>
and made an updated version of their online scanner available on
<https://www.f-secure.com/en/web/home_global/online-scanner>
CAVEAT: F-Secure's fix works only on Windows Vista and newer versions;
th
lt;http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>
or <https://books.google.de/books?isbn=1437914926>
ownloads"
directory;
4. notice the message boxes displayed from WTSAPI32.dll, UXTheme.dll
and/or RichEd20.dll placed in step 1.
stay tuned
Stefan Kanthak
Timeline:
~
2015-11-15vulnerability report sent to vendor
2015-11-16vendor acknowledges receipt
2015-11-17vend
disclosure/2015/Nov/101> titled
Mitigations for "carpet bombing" alias "directory poisoning" attacks against
executable installers.
Nmap-7.01 and WinPcap-Nmap-4.13 have been released and fix these
vulnerabilities.
stay tuned
Stefan Kanthak
___
bilities see Intel's Security Bulletin published today:
<https://service.mcafee.com/FAQDocument.aspx?lc=1033=TS102462>
stay tuned
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
directories and beyond.
See <http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>
or <https://books.
home.arcor.de/skanthak/safer.html> and/or
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>
or <https://books.google.de/books?isbn=1437914926> and finally
ot;: Windows
doesn't place executables in these directories and beyond.
See <http://home.arcor.de/skanthak/safer.html> as well as
<http://mechbgon.com/srp/> plus
<http://csrc.nist.gov/itsec/SP800-68r1.pdf>,
<https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf
xe" name
| "c:\program files\sub dir\program name.exe"
Neither the 4 other possibilities:
"C:\Program" files\sub dir\program name
"C:\Program files\sub" dir\program name
"C:\Program files\sub dir\program" name
&quo
extracting installers which unpack their
payload to %TEMP%; but these are flawed per concept too!
If you need to support such crap, consider to remove the USER
environment variables %TEMP% and %TMP% of the administrator
account. The administrat
"Shawn McMahon" sybergh...@gmail.com wrote:
> On Mon, Oct 5, 2015 at 8:16 AM, Stefan Kanthak <stefan.kant...@nexgo.de>
> wrote:
>
>>
>> That's why giving unsuspecting users *.EXE to install a software package
>> or to unpack an archive and thus train
Lee "cant afford a surname" wrote:
> Haifei Li, changing the default behavior to open a window asking the
> user where to save the file would change nothing. A "normal user"
> would just click the "save" button to save the file in the default
> folder. I also don't think
"Gynvael Coldwind" wrote:
> Correct me if I'm wrong, but the vulnerability can be summarized as: if you
> run an untrusted .exe you might execute malicious code?
Amen!
> I hardly see this as giving anything new to the attacker who can just
> create a malicious exe file,
"Haifei Li" wrote:
> This is a copied version of my blog post, original version
> http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html.
> Probably it's commonly known that when you try to download
> something on your modern browser e.g.
snt work at
all in standard user accounts when UAC is set to "never elevate".
This is another clear violation of Microsofts own UX guidelines!
stay tuned
Stefan Kanthak
PS: the script <http://home.arcor.de/skanthak/download/UAC.INF> adds
this and several other mis
ator account that allows you to set up
| your computer and install any programs that you'd like to use. Once
| you finish setting up your computer, we recommend that you create a
| standard account and use it for your everyday computing. If you create
| new user accounts, you should also ma
ations with Windows 10:
see <http://home.arcor.de/skanthak/download/W10_PATH.INF> for the
about 2000 registry entries with unqualified pathnames found in the
image of the professional edition in the \sources\install.wim
stay tuned
Stefan Kanthak
[*] see <http://home.arcor.de/skanthak/downlo
://seclists.org/fulldisclosure/2009/Sep/0
JFTR: Windows Vista and later include NEWER versions of these DLLs,
there is absolutely no need to redistribute an ancient version
in your product at all (especially after Windows XP and 2003
have reached end-of-life)!
stay tuned
Stefan Kanthak
and) Thunderbird and subject to the
restrictions imposed by these programs for non-XUL/chrome Javascript.
Mitigation(s):
~~
Disable profile local installation of extensions in Mozilla products,
enable ONLY application global installation of extensions.
stay tuned
Stefan Kanthak
software!
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
when notified
over and over again!
Defense in depth?
Nope!
Software engineering?
Nope!
BRAINDEAD behaviour of Windows CreateProcess*() functions?
Yes, of course, always!
Taking care for the safety and security of their customers systems?
Nope!
stay tuned (and far away from crapware!)
Stefan
. the pathname of the found executable gets quoted if it contains
a space.
The documentation of the function GetCommandLine()
https://msdn.microsoft.com/en-us/library/ms683156.aspx
but misses this completely!
Stay tuned!
regards
Stefan Kanthak
['] as soon as a name contains a single
[*] without
dissecting its *.MSI files.
Until Apple's developers, their QA and their managers start to
develop a sense for their customers safety and security and
due diligence: stay away from Apple's (Windows) software!
stay tuned
Stefan Kanthak
[*] https://cwe.mitre.org/data/definitions/428.html
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
/Oracle Java 6.x and thus installed on many user systems is
a good trampoline for attacks.
There is ABSOLUTELY no justification for Apple or any other
developer to ship VULNERABLE components at all!
regards
Stefan Kanthak
On Sat, Jan 31, 2015 at 10:11 AM, Stefan Kanthak
dir\program.exe name
c:\program files\sub dir\program name.exe
JFTR: without this transformation splitting of the command line
into the argv vector would give wrong results ... in
presense of CreateProcess*() braindead behaviour!
Stay tuned!
regards
Stefan Kanthak
PS
://support.microsoft.com/kb/2500212,
https://support.microsoft.com/kb/2565057 and
https://support.microsoft.com/kb/2565063),
which updates the MSVCRT (including header files etc.) to version
10.0.40219.325.
regards
Stefan Kanthak
___
Sent
AppInit_DLLs are only supported on Windows NT
(see https://support.microsoft.com/kb/134655) a braindead
developer choose not to use a REG_MULTI_SZ value (avoiding
the need to interpret spaces as separator and thus supporting
long filenames).
have fun
Stefan Kanthak
in Windows 8.1) to dump offline registry hives and to detect errors
and inconsistencies in key names, value names and value data.
regards
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
^Wadministrator BEWARE!
regards
Stefan Kanthak
JFTR: unfortunately there dont exist registry entries like those
for .NET Framework 4 and 4.5.1 or Internet Explorer 7 to 11
to generally block the offering/installation of Silverlight
or Microsoft Security Essentials per Windows Update
Google Chrome 39.
regards
Stefan Kanthak
PS: To catch all instances of this beginners error download
http://home.arcor.de/skanthak/download/SENTINEL.CMD,
http://home.arcor.de/skanthak/download/SENTINEL.DLL,
http://home.arcor.de/skanthak/download/SENTINEL.EXE and
http
to
develop a sense for safety and security:
stay away from their (Windows) software!
regards
Stefan Kanthak
Timeline:
~
2014-06-06informed vendor
2014-06-06vendor sent automated response
... no more reaction
2014-07-03requested status
... no answer
://www.howsmyssl.com/,
https://www.ssllabs.com/ssltest/viewMyClient.html or
https://cc.dcsec.uni-hannover.de/ with Internet Explorer 8 and
later after the reboot.
have fun
Stefan Kanthak
JFTR: IPsec is able to use perfect forward secrecy for MANY years,
see http://support.microsoft.com/kb/252735
and upgrade
to Windows Live Mail 2012 ASAP!
regards
Stefan Kanthak
PS: the associations for .eml and .nws DONT show this beginners error:
WindowsLiveMail.Email.1=C:\Program Files (x86)\Windows
Live\Mail\wlmail.exe /eml:%1
WindowsLiveMail.News.1=C:\Program Files (x86)\Windows
Live\Mail
, Protected Administrator should be considered the equivalent
| of Administrator.
regards
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
4.6.1.0
regards
Stefan Kanthak
PS: the obvious and trivial fix: edit the 2 erroneous command lines and
add the missing quotes. But dont forget to fix them after every update
of Apple's crap for Windows.
___
Sent through the Full Disclosure mailing
them properly.
If you detect such silly beginners errors: report them and get them fixed.
If the vendor does not fix them: trash the trash!
regards
Stefan Kanthak
PS: for static detection of these silly beginners errors download and
run http://home.arcor.de/skanthak/download/SLOPPY.CMD
not sure why did you bring UAC into the discussion - did I miss
something? or was it just an argument you've heard before and wanted
to reply to it preventively?)
Cheers!
regards
Stefan
On Fri, Jul 25, 2014 at 2:50 PM, Stefan Kanthak stefan.kant...@nexgo.de
wrote:
Gynvael Coldwind wrote
| the executable path in lpCommandLine, as shown in the example below.
Long filenames were introduced 20 years ago, but M$FTs developers still
can't handle them properly, and their QA is unable to detect such silly
and trivial to spot bugs!
regards
Stefan Kanthak
PS: yes, it needs
which evaluate PATH, i.e.
CreateProcess(), ShellExecute(), CMD.EXE, ... MUST be specified
with their fully qualified pathname.
regards
Stefan Kanthak
Timeline:
~
2014-01-23informed vendor
2014-01-23vendor opens MSRC case 16790
... no more reaction from vendor
2014
security response team the vulnerable driver was
pulled from Windows Update.
Unfortunately (or should I write: of course) the drivers offered on
Synaptics web site have this silly bug too!
regards
Stefan Kanthak
PS: the following lines of the SYNPD.INF show the same silly bug:
|
HKLM,Software
and
http://seclists.org/fulldisclosure/2013/May/37 for just the tip of the
iceberg).
navigare^Wsoftware engineering necesse est!
regards
Stefan Kanthak
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web
rights every user owning such an account can create the rogue program,
resulting in a privilege escalation.
JFTR: no, the user account control is not a security boundary!
regards
Stefan Kanthak
PS: for static detection of these silly beginners errors download and
run http://home.arcor.de
\
Au_.exe in turn called Windows' CreateProcess() function with the
(you guess it) UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver
which again led to execution of C:\Program.exe
regards
Stefan Kanthak
___
Sent
101 - 145 of 145 matches
Mail list logo