Abo
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten

Flaws in the security features of SP2

Seite 2: Windows Explorer caching of ZoneIDs

Inhaltsverzeichnis

2. Windows Explorer caching of ZoneIDs

Windows Explorer caches the result of ZoneID lookups. If a file is overwritten, Explorer does not properly update this cached information to reflect the new ZoneID. This allows spoofing of trusted or non-existant ZoneIDs by overwriting files with trusted or non-existent ZoneIDs.

The following steps illustrate the problem.

  1. Copy notepad to a new file.
    > copy c:\windows\notepad.exe test.exe
    You may also use Explorer to copy the file.
  2. Open test.exe in Explorer: no warning.
  3. evil.exe is a file saved from an e-mail attachment and has ZoneID=3.
    Check with your editor by opening "evil.exe:Zone.Identifier". It displays: ZoneID=3
    Open evil.exe in Explorer: you will be warned.
  4. Overwrite the copy of notepad.exe:
    > copy evil.exe test.exe
    test.exe:Zone.Identifier displays: ZoneID=3
  5. Open test.exe in Explorer: no warning!
    test.exe is launched without warning despite of its ZoneID=3. In the file properties, Explorer shows the correct notice about its origin, but for opening the file the old ZoneID-status is used.
  6. Doublecheck: Kill the Explorer task, restart it and launch test.exe: you will be warned.

Exploiting this issue requires the ability to overwrite existing files which have a trusted or non-existant ZoneID. Right now there is no known way to achieve this in an attack mounted from the Internet.

heise Security has notified Microsoft about both issues on August 12. Microsoft Security Response Center responded:

"We have investigated your report, as we do with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."

You find some personal thoughts about this response in the latest comment on heise Security: Microsoft: A matter of trust (ju)

Spiele

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten