Full Disclosure mailing list archives

By Date By Thread Defense in depth -- the Microsoft way (part 26): "Set Program Access and Computer Defaults" hides applications like Outlook From: "Stefan Kanthak" <stefan.kanthak () nexgo de>

Date: Wed, 31 Dec 2014 00:38:56 +0100

Hi @ll, in order to prevent the possible execution of a rogue program like "C:\Program.exe" or "C:\Program Files\Microsoft.exe", on x64 also "C:\Program Files.exe" or "C:\Program Files (x86)\Microsoft.exe", due to the beginner's error of using unquoted pathnames containing spaces (see <https://cwe.mitre.org/data/definitions/428.html>), Windows' [*] "Set Program Access and Computer Defaults" (SPAD, see <http://msdn.microsoft.com/library/cc144162.aspx>) hides programs that are registered with such erroneous and vulnerable command lines. For example Microsoft Outlook 2007, Microsoft Outlook 2010 as well as Microsoft Outlook 2013. If you have one of these versions of Microsoft Outlook installed but can't configure it with SPAD, export its registry entries with the erroneous and vulnerable command lines into a file OUTLOOK.REG: REGEDIT.EXE /A OUTLOOK.REG "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo" The file OUTLOOK.REG will look like this (the wildcard ? varies with your version of Outlook): --- OUTLOOK.REG --- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo] "IconsVisible"=dword:00000001 "HideIconsCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadhideicons" "ShowIconsCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadshowicons" "ReinstallCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadreinstall" --- EOF --- Open the file with your favorite editor and insert the string \" before and after (the 3 occurences of) the pathname C:\\Program Files\\Microsoft Office\\OFFICE1#\\OUTLOOK.EXE The corrected file should look like this: --- OUTLOOK.REG --- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo] "IconsVisible"=dword:00000001 "HideIconsCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadhideicons" "ShowIconsCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadshowicons" "ReinstallCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadreinstall" --- EOF --- Save your changes and import the file into the registry: REGEDIT.EXE /S OUTLOOK.REG Start SPAD again and find "Microsoft Office Outlook" now displayed as mail program. enjoy Stefan Kanthak [*] at least Windows 7, but I assume this behaviour was introcuded with Windows Vista; in earlier versions of Windows SPAD but displays applications with erroneous and vulnerable command lines and runs rogue programs! PS: will MSFT ever afford a QA that can find such bloody trivial beginner's errors? _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Defense in depth -- the Microsoft way (part 26): "Set Program Access and Computer Defaults" hides applications like Outlook Stefan Kanthak (Jan 02)