• The Old New Thing

    When people ask for security holes as features: World-writable files


    If I had a nickel each time somebody asked for a feature that was a security hole...

    I'd have a lot of nickels.

    For example, "I want a file that all users can write to. My program will use it as a common database of goodies."

    This is a security hole. For a start, there's an obvious denial of service attack by having a user open the file in exclusive mode and never letting go. There's also a data tampering attack, where the user opens the file and write zeros all over it or merely alter the data in subtle ways. Your music index suddenly lost all its Britney Spears songs. (Then again, maybe that's a good thing. Sneakier would be to edit the index so that when somebody tries to play a Britney Spears song, they get Madonna instead.) [Minor typo fixed. 10am]

    A colleague from the security team pointed out another problem with this design: Disk quotas. Whoever created the file is charged for the disk space consumed by that file, even if most of the entries in the file belong to someone else. If you create the file in your Setup program, then it will most likely be owned by an administrator. Administrators are exempt from quotas, which means that everybody can party their data into the file for free! (Use alternate data streams so you can store your data there without affecting normal users of the file.) And if the file is on the system partition (which it probably is), then users can try to fill up all the available disk space and crash the system.

    If you have a shared resource that you want to let people mess with, one way to do this is with a service. Users do not access the resource directly but rather go through the service. The service decides what the user is allowed to do with the resource. Maybe some users are permitted only to increment the "number of times played" counter, while others are allowed to edit the song titles. If a user is hogging the resource, the server might refuse connections for a while from that user.

    A file doesn't give you this degree of control over what people can do with it. If you grant write permission to a user, then that user can write to any part of the file. The user can open the file in exclusive mode and prevent anybody else from accessing it. The user can put fake data in the file in an attempt to confuse the other users on the machine.

    In other words, the user can make a change to the system that impacts how other users can use the system. This sort of "impact other users" behavior is something that is reserved for administrators. An unprivileged user should be allowed only to mess up his own life; he shouldn't be allowed to mess up other users' lives.

    Armed with this information, perhaps now you can answer this question posted to comp.os.ms-windows.programmer a few months ago.

  • The Old New Thing

    The various ways of sending a message


    There are several variations on the SendMessage function, but some are special cases of others.

    The simplest version is SendMessage itself, which sends a message and waits indefinitely for the response.

    The next level up is SendMessageTimeout which sends a message and waits for the response or until a certain amount of time has elapsed. SendMessage is just SendMessageTimeout with an INFINITE timeout.

    Another version of SendMessage is SendNotifyMessage, which is like SendMessage except that it doesn't wait for the response. It returns immediately and ignores the result produced by the receiving window.

    The last SendMessage-style functions is SendMessageCallback. This sends a message and then returns immediately. When the recipient finally returns a response, the callback is called.

    SendNotifyMessage is SendMessageCallback with a callback that does nothing.

    That's how the four message-sending functions fit together.

    Bonus remark: If you use any of the above send-type functions to send a message to a window that belongs to the sending thread, the call is made synchronously.

  • The Old New Thing

    Am I sorry or not?


    One of the consequences of the New Internet World Order is that it is very easy to set up a web site like www.sorryeverybody.com and equally easy to set up a response like www.notsorryeverybody.com. This state of affairs clearly calls out for some sort of competition between the two. At dinner last night, someone suggested that there should be a site like www.amisorryornot.com? I guess it would have been funnier if the "not sorry" site had pictures of people not being sorry. Then "sorry or not" could have picked a picture and had visitors vote whether the person looked sorry or not...

    (I have to admit in my consummate geekdom that I think that the funniest "X or not" site is www.amibiosornot.com.)

  • The Old New Thing

    If a program and a folder have the same name, the shell prefers the program


    If you have both a folder named, say, C:\Folder and a program named C:\Folder.exe and you type C:\Folder into the Start.Run dialog, you get the program and not the folder.

    Why is that?

    Because it is common to have

     D:\Setup.exe D:\Setup\... 

    where there is a setup program in the root, as well as a setup folder containing files needed by the setup program.

    Before Windows 95, you couldn't open a folder by typing its name. (If you wanted to view it in File Manager, you had to run File Manager explicitly.) As a result, programs written for earlier versions of Windows would have instructions like

    • Insert the floppy disk labelled "Setup". (CDs were for the rich kids.)
    • From Program Manager, click File, then Run.
    • In the dialog box, type "A:\SETUP" and press Enter.

    Since there was no such thing as "opening a folder", the only option was to run the program A:\SETUP.EXE.

    Windows 95 was required to prefer the program over the folder in order that those instructions would remain valid (substituting the Start button for the File menu).

    And each version of Windows that prefers the program over the folder creates an environment wherein people who write setup programs rely on that preference, thereby securing this behavior for the next version of Windows.

    But what if you really want to open the folder?

    Append a backslash to force the path to be interpreted as a folder (A:\SETUP\).

  • The Old New Thing

    Poking at diploma mills: Kennedy-Western University


    I enjoy poking around diploma mills. Especially the ones that spam my inbox. Like Kennedy-Western University, which describes itself like so:

    Since 1984 Kennedy-Western University (KWU) has provided distance and online degree programs to over 30,000 students. KWU is one of the largest non-accredited online universities in the United States. ...

    Ah, the magic word: "non-accredited". Translation: "Bogus".

    But hey, being non-accredited can't be all bad, right? After all, KWU seems to be proud of the fact that it isn't accredited.

    Read on:

    Three of four of its faculty of 140 credentialed professors - who are simultaneously employed by major traditional universities throughout the country - hold Ph.D. degrees from accredited universities.

    Oops, they're undermining their own statement. Isn't it kind of suspicious that they are bragging that their faculty is so good, they got their degrees from real universities (unlike this one)?

    My personal favorite diploma mill is Harrington University. It's fun kicking off a Google search to see how many people put a degree from that institution on their résumé.

    If you scroll down a bit on this Swedish web page, you'll find a picture of the building that houses so-called Brentwick University. The photo caption reads,

    Brentwick University claims to be on 196 High Street in northern London. This is what it looks like. On the second floor, over the dry cleaner's, lies Cordon Bell Accomodation Agency, a firm which serves as a maildrop and forwards mail on behalf of a series of camera-shy companies, among them "Brentwick University".

    It's a somewhat regular scandal in the United States that somebody well-known will be exposed to have been claiming a degree that was obtained by dubious means.

  • The Old New Thing

    How do I break an integer into its component bytes?


    Warning: .NET content ahead. For some reason, this gets asked a lot.

    To break an integer into its component bytes, you can use the BitConverter.GetBytes method:

    int i = 123456;
    byte[] bytes = BitConverter.GetBytes(i);

    After this code fragment, the byte array contains { 0x40, 0xE2, 0x01, 0x00 }.

    Update 11am: The endian-ness of the result is determined by the BitConverter.IsLittleEndian property. Thanks to reader Sean McVey for pointing this out.

  • The Old New Thing

    Exploiting the inattentive


    The makers of a certain major brand of detergent which I will not name (but which for the purposes of this discussion will be called "Snide") appears to take every step to exploit inattentive customers.

    A box of Snide detergent powder comes with instructions indicating that for a normal-sized load, you should use 3/8 cup of detergent; for a large load, 1/2 cup.

    The detergent box also comes with a handy measuring cup.

    The measuring cup holds 5/8 cup of detergent.

    Not to be outdone, Liquid Snide plays a similar trick.

    The instructions indicate that for a normal-sized load, you should fill the cup to line 1 (the lowest line). For a large load, fill to line 2. If you look at the cup they provide, there is also a line 3 which is even higher than lines 1 and 2. Not even counting the imaginary "line 4" which is what you get if you fill the cup to the brim.

    Just because it comes with a measuring cup doesn't mean you have to use it.

  • The Old New Thing

    What is this Xerox directory doing in Program Files?


    If you go snooping around, you may find an empty C:\Program Files\Xerox directory. What's that for?

    This directory is being watched by Windows File Protection, because it needs to protect the file xrxflnch.exe should it ever show up. (Why does the directory have to exist in order for Windows File Protection to be able to watch it? I'm told it's a limitation of the Windows File Protection engine. I suspect it may have something to do with the fact that the FindFirstChangeNotification function can't watch a directory that doesn't exist.)

    Why is xrxflnch.exe so special? I don't know. My guess is that it's some file that is frequently overwritten by setup programs and therefore needs to be protected.

  • The Old New Thing

    Asking questions where the answer is unreliable anyway


    Here are some questions and then explanations why you can't do anything meaningful with the answer anyway even if you could get an answer in the first place.

    "How can I find out how many outstanding references there are to a shared memory object?"
    Even if there were a way to find out, the answer you get would be instantly wrong anyway because the microsecond after you ask the question, somebody can open a new handle.

    This is an example of "Meaningless due to unavoidable race condition."

    "How can I find out whether a critical section is free without entering it?"
    Again, once you get an answer, the answer could instantly become wrong if another thread decides to enter the critical section immediately after you checked that it was free.

    "How can I tell whether there is a keyboard hook installed in the system?"
    This suffers from the same problem yet again: The instant you get the answer ("all clear"), somebody can install a hook.

    This is actually even worse because people who ask this question are typically interested in secure keyboard access. But if somebody has a keyboard hook installed, that means that they have already injected code into your process (namely, the hook itself). At which point they could easily patch the imaginary IsKeyboardHooked() function to always return FALSE.

    Now when your program asks if the keyboard is hooked, the answer is a happy "no" and you proceed, blithely confident that there are no hooks. Just because somebody said so.

    You cannot reliably reason about the security of a system from within the system itself. It's like trying to prove to yourself that you aren't insane.

    The system may itself have already been compromised and all your reasoning therefore can be virtualized away. Besides, your program could be running inside a virtual PC environment, in which case the absence of a keyboard hook inside the virtual PC proves nothing. The keyboard logging could be happening in the virtual PC host software.

    From a UI standpoint, the desktop is the security boundary. Once you let somebody run on your desktop, you implicitly trust them. Because now they can send your program random messages, inject hooks, hack at your window handles, edit your menus, and generally party all over you.

    That's why it is such a horrible mistake to let a service interact with the desktop. By joining the interactive desktop, you have granted trust to a security context you should not be trusting. Sure, it lets you manipulate objects on that desktop, but it also lets the objects on that desktop manipulate you. (There's a Yakov Smirnoff joke in there somewhere, but instead I will quote Nietzsche: Wenn du lange in einen Abgrund blickst, blickt der Abgrund auch in dich hinein.)

    If you're a service, you don't want to start letting untrusted programs manipulate you. That opens you up to a Shatter attack.

  • The Old New Thing

    Will dragging a file result in a move or a copy?


    Some people are confused by the seemingly random behavior when you drag a file. Do you get a move or a copy?

    And you're right to be confused because it's not obvious until you learn the secret. Mind you, this secret hasn't changed since 1989, but an old secret is still a secret just the same. (Worse: An old secret is a compatibility constraint.)

    • If Ctrl+Shift are held down, then the operation creates a shortcut.
    • If Shift is held down, then the operation is a move.
    • If Ctrl is held down, then the operation is a copy.
    • If no modifiers are held down and the source and destination are on the same drive, then the operation is a move.
    • If no modifiers are held down and the source and destination are on different drives, then the operation is a copy.

    This is one of the few places where the fact that there are things called "drives" makes itself known to the end user in a significant way.

Page 386 of 444 (4,431 items) «384385386387388»