Trusting Windows
The security risks of Windows’ hidden features.
The security risks of Windows’ hidden features.
geoff lane • May 30, 2006 4:29 PM
If I can’t predict how a program will behave then it may as well be using magic. If I can’t restrict how a program will behave then I have lost control of my computer.
I can understand how the coders can realise that if they treat X specially then Y happens. The problem is the rules are never made explicit. They are hacking with the system, not implementing simple rules. This may be fun but it is a security problem in the making. Complex interfaces open your system to “interesting” problems…
Jason • May 30, 2006 6:27 PM
Am I missing something? What’s the risk here?
Igor • May 30, 2006 6:44 PM
@Jason
On the face of it this so-called discovery appears harmless. However, if combined with some batchfile running deltree /y, then we’re beginning to talk about a problem. The above assumes that
one has physical access to the machine in question of course. I think you are thinking of the article at face value, the trick is to separate it out into components. The exploits this little
shortcut trick couldn’t be implemented into…
scosol • May 30, 2006 6:50 PM
Hahah- though, if you think about it for just 30 seconds better logic for Explorer becomes clear- “if I am in IE mode, check Internet destinations first before checking any local files”- then just reverse the behavior for when in file mode.
Jason • May 30, 2006 6:55 PM
Well my thoughts are if a system is compromised, it’s compromised. If someone, that has actually gotten into my system, tries to use this instead of just doing the actual damage themselves then I got lucky. Why not just throw the script in the startup folder, then you’ll know I’m going to run it.
The author’s fear seems to be more of the feature being unknown to him, of which I’m sure there are many features we don’t know of. Systems are far too complex anymore to know everything about them. And don’t get me started on the code reviewing statement… when’s the last time anyone here reviewed the current linux kernel to make sure there weren’t any vulnerabilities?
Bruce Schneier • May 30, 2006 7:36 PM
“Am I missing something? What’s the risk here?”
Certainly the risks are small, comparitively speaking. But they’re real. The risk is that Windows will do something you don’t want, don’t expect, and don’t like. Or that someone can trick you into doing something you don’t want, don’t expect, and don’t like based on some hidden features of Windows.
To me, it’s another aspect of the “Who Owns your Computer” essay I wrote a month or so ago.
Stuart Young • May 30, 2006 8:37 PM
Jason says: “Well my thoughts are if a system is compromised, it’s compromised. If someone, that has actually gotten into my system, tries to use this instead of just doing the actual damage themselves then I got lucky. Why not just throw the script in the startup folder, then you’ll know I’m going to run it.”
There is a question of access. What gets me more than the checking of the Deskop folders is that it checks Favourites (the bookmarks). There are so many javascript snippets that add sites to your Favourites automatically, that you could easily redirect users to the wrong websites. If you can also call local apps, you could spawn insecure services that then could be used to take over the machine.
Jason says: “Systems are far too complex anymore to know everything about them. And don’t get me started on the code reviewing statement… when’s the last time anyone here reviewed the current linux kernel to make sure there weren’t any vulnerabilities?”
I’ve done a bit of reviewing of kernel code in my time, and while I’m not really a coder or anything, I’ve pointed out a few things to other people who have taken them the distance and gotten them fixed. I also know a few people outside of the standard kernel community that find such vulnerabilities, fix them, and then push the code to the kernel people. And the same stuff goes on in user space too.
There ARE people out there actively checking. There’s now been 19 additional patch sets released against 2.6.16, which was released on the 20th March 2006, and each patch set fixes at least one problem, usually more. To me, this indicates an active review process and people willing to fix the problems.
There are also a lot of automated tools that are now used to check for vulnerabilities, and that are regularly run on the kernel. Coverity comes to mind here, but there are others the developers themselves run.
The thing open source has going for it here is that the bar is so low to entry, that anyone with an interest can get involved, whereas in closed source, you need to get access to the code, usually though some sort of NDA/License/Contract.
Please note that I agree that systems are very complex and getting more so, but that doesn’t stop us manually checking pieces, or running automatic tools that highlight suspect areas for manual checking. When you can’t actually perform the checking, you may as well have your head in the sand.
Thomas • May 31, 2006 12:26 AM
I think this ‘feature’ nicely complements the advised practice of “never click a link, always type in the URL”, especially for things like web-banking.
Unless you prefix the protocol (type in “https://[site.name.here]” instead of simply “[site.name.here]” (which I guess you should be doing anyway if you’re web-banking)) typing in the URL is potentially LESS secure than clicking on a link; clicking the link should provide the “http[s]://” part which prevents these short-cuts from firing.
RonK • May 31, 2006 1:21 AM
Hey, everyone look at the glowing compliments to Bruce at an article linked from the posted article’s URL:
http://www.infoworld.com/article/06/05/26/78639_22OPsecadvise_1.html
I can hear Bruce blushing even as I type 🙂
JakeS • May 31, 2006 2:02 AM
The described feature of IE sounds like a consequence of MS’s attempt (misguided, in my view) to “webify” the Windows user interface – that is, to make components like Control Panel and Windows Explorer look and feel like web pages. I think they were trying to make the interface simple for the “home user”. I always turn that off when I can and use the “classic” interface; maybe that’s just me being an old grumpy and all you cool dudes are enjoying the fancy new style.
There’s also a bit of the old Linux-vs-Windows religious prejudice here. “Look what bad, bad things Windows does! If it was open-source, any user could look inside and know how it will behave!” Yeah, right. Perhaps I’m mistaken, but I’m much more concerned about the security problems caused by bugs in Windows (and Office) than about ‘features’ like this.
Windows is very complex, and not all the details of its behaviour are documented (or can be) in normal user documentation; as with any complex software, you find your way around it, discover how it behaves, and become comfortable with using it. I’d be a bit surprised, though, if this behaviour of IE isn’t documented somewhere in MSDN where I haven’t time to look now.
JakeS • May 31, 2006 2:03 AM
“I can hear Bruce blushing” – pretty Zen, that. What does a blush sound like?
JakeS • May 31, 2006 2:04 AM
“I can hear Bruce blushing” – a bit of Zen there. What does a blush sound like?
JakeS • May 31, 2006 2:10 AM
The described feature of IE sounds like a consequence of MS’s attempt (misguided, in my view) to “webify” the Windows user interface – that is, to make components like Control Panel and Windows Explorer look and feel like web pages. I think they were trying to make the interface simple for the “home user”. I always turn that off when I can and use the “classic” interface; maybe that’s just me being an old grumpy and all you cool dudes are enjoying the fancy new style.
There’s also a bit of the old Linux-vs-Windows religious prejudice here. “Look what bad, bad things Windows does! If it was open-source, any user could look inside and know how it will behave!” Yeah, right. Perhaps I’m mistaken, but I’m much more concerned about the security problems caused by bugs in Windows (and Office) than about ‘features’ like this.
Trust Windows? No, not much. But it’s very complex, and I don’t expect to find all the details of its behaviour in normal user documentation – who reads that, anyway? As with any complex software, you find your way around it, discover how it behaves, and become comfortable with using it. I’d be a bit surprised, though, if this behaviour of IE isn’t documented somewhere in MSDN where I haven’t time to look now.
[Sorry about the double post above – finger trouble]
Stephane Grobety • May 31, 2006 2:45 AM
IE is not the only browser that exhibit potentially harmfull behavior because of usability features:
The other day, I wanted to connect to the web management exposed by a hardware device on my network. I launched firefox and typed in the host name of the device. But that name wasn’t yet registered in the DNS so it wasn’t found.
What did firefox do ? It used google “I’m feeling lucky” feature to bring me directly to a web page… that used to be a maleware distribution point. It located the web page using the host name I gave it as keyword.
Granted, I was rather unlucky that the host name of the device would bring me to a maleware page, but I bet there are ways to exploit this behavior in fishing schemes.
Longwalker • May 31, 2006 2:53 AM
This is exploitable on any version of IE that doesn’t block window.external.AddFavorite (add bookmark) as a security violation. On IE configurations that allow AddFavorite, a blackhat website could use Javascript to install and execute a batch file or other script up to 2KB in size. That’s enough to use a scripted FTP operation to pull more serious malware off a server.
How many people out there are running IE configs that allow AddFavorite? I don’t know, but this misfeature could have been exploited from IE4 (where AddFavorite was introduced) to whatever version of IE disallowed its use.
MathFox • May 31, 2006 2:54 AM
Hmmm, thinking about it, this kind of behaviour could be used in phishing attemps. Start a keylogger when the user types “paypal.com” or “ebay.com”, etc. and forward him transparently to the expected site.
RonK • May 31, 2006 3:13 AM
Hey, everyone look at the glowing compliments to Bruce at an article linked from the posted article’s URL:
http://www.infoworld.com/article/06/05/26/78639_22OPsecadvise_1.html
I can hear Bruce blushing even as I type 🙂
RonK • May 31, 2006 3:17 AM
Sorry for the double post, I assumed a transient error had prevented the first one
and posted w/o checking.. ooops…
And yes, it was intentionally koan-ish ….
Whilst on the topic of typing URLs, here’s an attack.
As has already been noted it is preferable to type a url as opposed to clicking a link. But browsers typically autocomplete, if I can manipulate the autocomplete then I can trick the user. For example: the user starts to type http://www.mybankingservice.com at which point the browser offers http://www.mybankingservce.com, the user clicks the option (or hits the , followed by or whatever). The user has been duped.
I don’t know if this attack is possible, because I haven’t looked into how browsers store this information…
Jungsonn • May 31, 2006 6:36 AM
It’s not a bug.
Cause IE is a shellbrowser. and with shells you can excute things.
Bruce Schneier • May 31, 2006 6:56 AM
“It’s not a bug. Cause IE is a shellbrowser. and with shells you can excute things.”
But is it a good idea?
Jungsonn • May 31, 2006 7:11 AM
Nope, it’s also not a handy feature 🙂
this is being fixed in IE7.
and as MS says being presumable “securer” sigh
Clive Robinson • May 31, 2006 7:43 AM
After reading the artical I get to the bottom and read the following…
“With Windows, I have to trust Microsoft. And let me say, I do trust Microsoft the majority of the time.”
Why? there is more than enough evidence they cannot be trusted, it’s pretty much always (usless) features before security.
He then goes on to say,
“It’s just that I have no way of knowing what other surprises lurk for me, and how they affect my overall security risk.”
Which should give him a big clue as to why he should not trust Microsoft in any way at any time.
With his final,
“And if I find a feature I don’t want, can I easily turn it off? ”
You get to the crux of the problem.
You should be able to turn all features on and off at whim if you so desire.
Unfortunatly with Windows and one or two other products (Gnome for instance) the user is effectivly prevented from doing anything the designer things is “too difficult” for them….
Jungsonn • May 31, 2006 7:54 AM
The main idea of that feature (the shell on top of IE) in IE was designed so that u can browse local files and execute them in IE. That was back in the days where they did not toroughly thought about the potentiality of execution of viruses and other executables.
I can understand they wanted to make it more easy for people to browse their files. At the cost of security. But i agree, their should be a method of turning it “off”. May be it can, or maybe it cannot. I’m not fully aware if you can disable the win32shell.
But hope arises in the new IE version, where local file browsing will be disabled by default. A little bit late i guess…
Jason • May 31, 2006 11:32 AM
You could turn it off by using a third party browser. There are options. I think my problem with this was that it’s just a little to prejudice against MS. They have lot’s of things to complain about but this just seems like a non issue.
And I still say, if someone has write access to your drive, this is the least of your worries.
derf • May 31, 2006 1:43 PM
The problems:
1) Unexpected
2) Undocumented
3) Potentially exploitable
When these combine, there are usually nasty possibilities. The next, obvious question this brings up is: What else don’t we know about Windows functionality that may end up biting us in the buttocks later?
AG • May 31, 2006 2:52 PM
I personally have seen multiple spybots and viruses take advantage of this “feature”.
Common is for someone to have a shortcut appear on their deskop and a click with a “What is this?” intention… this leads to more viruses and spybots…
Nasty stuff.. but cleanable
Preston L. Bannister • May 31, 2006 4:28 PM
This is a documented, designed-in feature of Windows. Totally non-surprising (but then I’ve spent time writing Windows code). If you step off the “lets trash Windows” bandwagon for a moment, this makes perfect sense. When the user types something into the address line (on IE or Explorer), the software should try and do what the user wants.
The article is without value – simple FUD.
Played with it a bit to be sure – this is not a security issue. This does not prove that typing URLs is better than clicking links (in fact slightly the reverse).
Any “exploit” with a precondition that your box (or user) is already hacked – is not an exploit.
Pat Cahalan • May 31, 2006 5:12 PM
@ Preston
When the user types something into the address line (on IE or Explorer), the
software should try and do what the user wants.
Now you’re in the design space where you have one program that decides, based upon what looks like a static decision making process what the user wants (look here: %UserProfile%\Desktop; then here: %AllUsersProfile%\Desktop; then here %UserProfile%\Favorites; etc.; finally look here: “http://www.foo.bar”). This isn’t a feature, it’s a bug – or at the very least it is a bad design, because you’re making some pretty drastic assumptions about “what the user wants”. The software never asks the user what they want, or has the user configure what they want.
If a user is looking at his/her web browser, and they type “www.foo.bar”, or “foo.bar”, you can just as easily say that the expectation is that they will see the same results as typing “http://www.foo.bar”… NOT the contents of the file “foo.bar” on their desktop.
I agree that this isn’t a security “risk”, per se… any more than any particular behaviour of an operating system’s default configuration is a “risk”… but it is a design decision that has security implications, because the program is by default exhibiting behavior that may not be what the user expects.
Since this is such an oddball default condition, it’s certainly possible to socially engineer this into a security risk. You certainly wouldn’t have to “hack” a box to leverage this into a type of an attack.
This is a documented, designed-in feature of Windows.
This is a pretty poorly documented behaviour.
winsnomore • May 31, 2006 11:41 PM
Quid Pro ho ho ho !!!
This is not a security hole .. it’s probably bad design .. a user has to do a lot of fancy and stupid things.
The bigger security hole is to leave the system accessible to monkeys around you .. and I submit NO system is immune to monkeying around.
I can rename ANY unix command to ANY if I had root passwd!! so Liunx/Unix has a design flaw .. grow up live well
Jungsonn • June 1, 2006 6:15 AM
@Pat,
“—–If a user is looking at his/her web browser, and they type “www.foo.bar”, or “foo.bar”, you can just as easily say that the expectation is that they will see the same results as typing “http://www.foo.bar”… NOT the contents of the file “foo.bar” on their desktop.—–”
Shortcuts are just references to a webpage or executable. Which you can give a name. It does not imply that the name of the shortcut should be the location of what it is supposed to execute when clicked on it. Since you run the shortcut on your desktop IE knows that the path of the executable. Which you typed in yourself: notepad.exe, or C:\pf\someapp.exe. So the security risk would be that it can rename icons path to execute other programs. But to do that, they first must enter your system, allowed: bookmarked a site, or not allowed: they hacked in. In the last case, it should not be the effort, in the first case: i’m wondering if you can bypass this by remotely adding a bookmark which can execute a remote script, and could get access.
that would be a huge risk.
Anonymous • June 1, 2006 7:03 AM
“But hope arises in the new IE version”…
Can’t hear such any more.
There is a constant stream of gaping security holes and boldfaced spying on you Windows users, all led by Microsoft’s opinion of where you ought to go today. And I bet they are not going to change their business model that is so successful at taking away your money and your control.
Why on earth do you expect that any future version that is promised to fix some problem-de-jour would change things to your benefit? It will change things to their benefit, and will almost certainly introduce more new problems than it fixes. Problems that you do not have learned to deal with yet.
Step out of that loop. Take back control. Use software from people who will use it themselves and have no reason to lie to you. Stop patching and reinstalling so often, get real work done or have fun instead. Save the money for the licenses, invite your love to dinner instead.
Why is that so hard to grasp?
Jungsonn • June 1, 2006 7:59 AM
Clearly put.
LeoNerd • June 1, 2006 11:55 AM
I wonder if this logic also applies on links in web pages? Maybe I could direct users to
“click here”
when really it’s a link to C:\Win32\System\someevilcommand.exe /with /arguments/ …
Jungsonn • June 1, 2006 3:16 PM
@LeoNerd
Thats what i also am trying to find out. If for say a site tells you to bookmark a page, with an embedded link in it which could execute programs. Interesting to try it out.
Preston L. Bannister • June 1, 2006 3:22 PM
Folks, you should really try things before you speculate wrongly.
In-page web links do not invoke Windows shortcuts, and Windows shortcuts cannot have “http://” names (i.e. URLs of any sort).
The point of confusion is when the user types something into the address line of IE that is not a legal URL. At this point the browser could either fail (not helpful), or try some alternate strategy. The alternate strategy for IE and Firefox differ.
The heuristic for IE seems to be to try each of the following until one succeeds:
0) parse as exact HTTP URL.
1) parse out first path element and eval as Windows shortcut.
2) parse out first path element and eval as HTTP URL with “http://” prepended.
3) pass line to seach engine and show search results in browser.
The Firefox heuristic seems to omit (1) but is otherwise the same.
For this entire discussion to be in any way relevant, there must be a shortcut on a user’s un-hacked box with a name that EXACTLY matches what a user might type in on the address line of the browser to get to a web site. This by itself is unlikely in the extreme. Look at the shortcut names … the just aren’t any websites with names like “Tivo Desktop”.
For this extremely unlikely case, for the result to be more than confusing, the shortcut invoked must be in some way harmful. Given the rarity of shortcuts with names like “aol” and semantics like “format c:” … we’re getting into tinfoil hat territory.
Jungsonn • June 1, 2006 3:28 PM
Oops! it is quite possible to some level.
i did this:
<//a href=”javascript:window.external.addFavorite(‘http://C:\WINDOWS\system32\notepad.exe’,’Some
page’);”>add bookmark!<//a>
(remove the extra slashes)
Without http, it did not work, with this simple bookmark javascript i could add notepad to my favorites with the text: ” some page”
But when i clicked on it:
http://c:WINDOWSsystem32otepad.exe/
so somthing goes wrong, it removes the forward slashes somehow, but i was able to add it to my bookmarks.
I try to look further, maybe with some escaping it might be possible.
Jungsonn • June 1, 2006 3:33 PM
Ok the tags where stripped by the board, i try it this way:
a href=”javascript:window.external.addFavorite
(‘http://C:\WINDOWS\system32\notepad.exe’,’Some
page’);”>add bookmark!
And close the A tag ofcorse.
Jungsonn • June 1, 2006 3:56 PM
Update:
I escaped some slashes, this worked pretty fine:
“javascript:window.external.addFavorite(‘http:/\C:\/WINDOWS/\system32\/\Notepad.exe’,’Some
page’);”
results in:
http:/C:/WINDOWS/system32/Notepad.exe
So the http is in the way here.
I did test it in a HTML page, but if it is offline, i think it might be possible, yes.
Sorry Bruce for the code mess.
Khoth • June 24, 2006 12:45 PM
A couple of thoughts:
When people download things, the default location is the desktop, so getting an arbitrary file there probably isn’t very hard, especially if the victim has turned off the dialog asking whether to open or save the file.
Is it possible for url changing via meta refresh or javascript to trigger the “search the desktop” mode?
(I’m not using Windows, so I can’t just try it out)
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Edward • May 30, 2006 4:01 PM
I have known about this trick, since windows 98SE, when IE was first integrated. I have not used Windows all that much over the years, I have been running Linux, only use windows when I absolutly have to. It is a big security risk, but as I was told with Windows problems, yeah there is no security issues but look at the features, or with a MAC, yeah its not really supported to well, but look at the features, or even Linux, same thing. This is just one of those things.