[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Defense in depth -- the Microsoft way (part 12): NOOP security fixes

Hi @ll,

with <http://technet.microsoft.com/security/bulletin/ms12-034>
Microsoft addressed CVE-2012-0181 for Windows NT 5.x; see
<https://support.microsoft.com/kb/2686509> for details.

BUT: the hotfix KB2686509 does NOT fix anything!

Instead it just checks ONCE(!) whether all the "keyboard layout DLLs"
registered beneath

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]

are either registered with their fully-qualified pathname or exist in

This STATIC, ONE TIME check but does NOT cure the problem, it only checks
for the symptom!

If Microsoft would REALLY care about security, the hoxfix KB2686509 (or
better: Windows setup) would (re)write all references to filenames with
their fully-qualified pathname, i.e. as

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\<LCID>]


2004-08-23    informed vendor about still unfixed principal security
              flaws due to unqualified filenames and Windows' EXE/DLL
              search/load order after release of SP2 for Windows XP

JFTR: Microsoft started their "trustworthy computing" initiative in
      2001, and XP SP2 was supposed to eliminate many of the errors
      Microsoft made in previous versions of NT.

2004-08-25    vendor replies "no vulnerabilities", but forwards report
              to product groups/teams

2004-09-02    vendor still wont see vulnerabilities, asks for POC(s)


2008-05-30    vendors publishes

2009-04-15    vendor publishes <http://support.microsoft.com/kb/959426>

2010-08-23    vendor publishes
              and updates it over and over again since then

2012-05-08    vendor publishes <http://support.microsoft.com/kb/2686509>

stay tuned
Stefan Kanthak

PS: if Microsoft weren't such sloppy coders and had a QA department this
    whole class of vulnerabilities would not exist: the path to EVERY
    executable in Windows is well-known, all references can use the
    fully-qualified, absolute pathname.

    <http://home.arcor.de/skanthak/download/XP_FIXIT.INF> fixes all the
    2500+ unqualified (plus not properly quoted long) filenames left in
    the registry of Windows XP SP3 AFTER fixing the other 2000+ unqualified
    (plus not properly quoted long) filenames in the \i386\HIVE*.INF and
    \i386\DMREG.INF (from which the initial registry is built) on the
    installation media.

    <http://home.arcor.de/skanthak/download/W7_ERROR.INF> documents the
    4500+ unqualified filenames in the registry of Windows 7 Professional
    with SP1, and <http://home.arcor.de/skanthak/download/W7_ISSUE.INF>
    documents some other issues.