Why don't I agree with Bruce Schneier all the time :)

re: Why don't I agree with Bruce Schneier all the time :)

anonymous (again) — Fri, 29 Jun 2007 02:07:34 GMT

For writing a desktop.ini, you don't need to run any program. Just pack it up in a ZIP file together with the malware and let the user extract it. Voilà, the malware and the desktop.ini end up in the same folder.

Even further, you can name the folder as Foldername.{GUID} whereas the GUID is a reserved one of the shell namespace, f.e. the MyDocs GUID. In this case, independent of your settings, Windows Vista will definitely load the desktop.ini and act accordingly.

Or what if the user downloads multiple files with a download manager? He won't even see a redirect to the different filename "desktop.ini" instead of "some_cool_stuff.zip". He also downloads the malware, and then, since they end up in the same folder, the trick works again.

As for PMP: According to my analysis, the application is also providing a policy (TagDRMRights struct) which then enforces how drmk.sys forwards data and signals the required commands to DRMed driver, or the shutdown of non-acceptable drivers to the ks.sys subsystem.

At any rate, on Windows XP you can safely replace drmk.sys with a dummy module and remove the rest of the DRM subsystem. Now, how does this work on Windows Vista? I'd say not at all.

re: Why don't I agree with Bruce Schneier all the time :)

Robert Wray — Thu, 28 Jun 2007 23:23:07 GMT

"Did you notice the folder names that you traverse in order to get to those shortcuts? Do you think I'm going to waste time experimenting to see if they'll still work after renaming one of the folders to "Netscape Navigator"? Do you think maybe someone other than a monopoly set that folder name because that would be the real way to get Netscape kicked out of preinstalls when OEMs wouldn't cave in to financial bullying?"

I *think* QuickLaunch was originally added by the IE4 upgrades to the shell, someone please feel free to correct me if that's wrong :) But, if that's the case, then the reason that the path contains "Internet Explorer" is one near and dear to Microsofts heart, back-compat...

re: Why don't I agree with Bruce Schneier all the time :)

Norman Diamond — Thu, 28 Jun 2007 09:58:57 GMT

Thursday, June 28, 2007 1:00 AM by Dean Harding

>> My Quickstart toolbar still gets to contain shortcuts that I

>> want it to contain.

> If you mean "shortcuts to internet locations"

I mean shortcuts to programs that I want to invoke. Theoretically it could mean shortcuts to internet locations, though I never thought of using up valuable real estate in the task bar for such a purpose.

Did you notice the folder names that you traverse in order to get to those shortcuts? Do you think I'm going to waste time experimenting to see if they'll still work after renaming one of the folders to "Netscape Navigator"? Do you think maybe someone other than a monopoly set that folder name because that would be the real way to get Netscape kicked out of preinstalls when OEMs wouldn't cave in to financial bullying?

Anyway, I do find the Quickstart toolbar convenient, I do use it, and hold my nose while traversing directories to get there.

re: Why don't I agree with Bruce Schneier all the time :)

Larry Osterman [MSFT] — Thu, 28 Jun 2007 09:39:56 GMT

Dean: I think I found tomorrows post.

re: Why don't I agree with Bruce Schneier all the time :)

Dean Harding — Thu, 28 Jun 2007 08:00:33 GMT

> So the desktop.ini file COULD be used as a stepping stone to gaining system access.

Possibly, I suppose. But like I said, if you can already read/write a desktop.ini file, you don't need to disguise an exe as a jpg or whatever. Unless you've *already* compromised the system and are just leaving your "picture" as a surprise :-)

A possible fix would be to simply not allow you to change the extension of a file using desktop.ini.

> My Quickstart toolbar still gets to contain shortcuts that I want it to contain.

If you mean "shortcuts to internet locations" then that has nothing to do with Internet Explorer. You could just as easily have those shortcuts launch in Firefox using the "set program and access defaults" thingy... if you mean something else, please elaborate.

re: Why don't I agree with Bruce Schneier all the time :)

Larry Osterman [MSFT] — Thu, 28 Jun 2007 07:55:49 GMT

anonymous: the PMP is actually an area that I'm VERY familiar with.

And this code isn't new - drmk.sys existed on XP and it did exactly the same thing in XP as it does in Vista - it scanned the system looking for unsigned drivers and reported their presence to the application rendering audio which was allowed to make a policy decision based on the presence of unsigned drivers in the rendering path.

Nothing has changed in that area for Vista (there were other parts of the DRM system that did change for Vista, the introduction of protected processes, for example, but that part didn't change).

The S/PDIF cutout was also in XP (including the USB exception which is still in Vista (USB S/PDIF devices don't have to disable their S/PDIF output when protected content is rendered - go figure that one out).

re: Why don't I agree with Bruce Schneier all the time :)

Larry Osterman [MSFT] — Thu, 28 Jun 2007 07:51:24 GMT

IMHO the desktop.ini file thingy could actually be interesting. RSnake gave a great talk at BlueHat called "A death of 1000 cuts" where he discussed how small vulnerabilities can lead to exploitation.

IMHO, the classic example of this is Liu Die Yu's 6 step IE compromise (http://archive.cert.uni-stuttgart.de/bugtraq/2003/11/msg00029.html), which took 6 different moderate class vulnerabilities (none of which alone could be used to gain system access) and combined them together in such a way as to gain system access.

So the desktop.ini file COULD be used as a stepping stone to gaining system access.

re: Why don't I agree with Bruce Schneier all the time :)

Norman Diamond — Thu, 28 Jun 2007 06:27:26 GMT

> IE's not integrated into anything

In Vista, I believe about 99% of that. Two examples of why I believe that much:

(1) Windows Update appears to operate as a Control Panel applet instead of Internet Explorer ActiveX control.

(2) The boot logo doesn't boast that monopoly power got every browser other than Internet Explorer booted out of OEM distributions.

One example of why I don't believe more than 99%:

My Quickstart toolbar still gets to contain shortcuts that I want it to contain.

> I can't speak to the localizedfilename feature

But you could test it easily. I think[*] you can just edit that file with Notepad. I think the only possible effect is, as Anonymous said, to spoof the user. We've seen that repetitions of spoofs like loveletterforyou.txt.vbs still aren't security issues and still don't need any reconsideration of default settings in Vista and even in server OSes, so don't waste time experimenting unless you want to experiment.

[* I've viewed it in Notepad but haven't experimented with changing it.]

re: Why don't I agree with Bruce Schneier all the time :)

Dean Harding — Thu, 28 Jun 2007 05:10:20 GMT

Methinks "anonymous" (if that *is* his real name) is just making stuff up as he goes along.

That desktop.ini thing is pretty stupid to begin with. I mean, if you can already read/write the desktop.ini file it means you're already executing code, right? So what does adding that stuff to desktop.ini give you in addition?

re: Why don't I agree with Bruce Schneier all the time :)

anonymous — Thu, 28 Jun 2007 03:35:50 GMT

Strange enough the official documentation about DRM even states some of the internas of DRM, f.e. how Protected Media Path, when being requested, forces the shutdown of any non-compliant sound driver.

Then again, of course MSIE is deeply integrated within the Explorer shell. What do you think where the single-click link stuff, the thumbnails etc. come from? Why it's called ShellDocView control? Or what the desktop.htt does? Hell, it even extracts HTML from image metadata. Just one little bug in IE, and just viewing a set of files in Explorer can trigger arbitrary code, and of course MSIE is full of years-old unpatched vulnerabilities.