John Duddy, Principal Engineer at St. Bernard Software said;

"As far as I know, there is no way to manipulate the values you mention
without being an Administrator. If one of your administrators deletes
these values, you will indeed have the symptoms you mentioned. However,
letting someone like that have administrative rights on your machine is
the source of the error."

Well, actually this isn't true, but it's a common premise though. I
pointed out in my message that the keys used are write-restricted to
Administrators/System, but I purposefully avoid what so many have been
saying...namely that those keys are a prime target.

Too many things rely upon the integrity of these keys and not on other,
additional or autonomous, sources. HFNetchk is a noteworthy alternative
because it uses its own checksums against the files themselves and
doesn't give a hoot what's in those keys.

I can manipulate these keys as System. Nimda was System. Code Red was
System. Some exploits do run as System.

I'm not arguing against the stance, "but hey, if I can get something to
exploit as System then all bets are off!". Yup, that's definitely true,
if something runs as System then all bets are definitely off. What's at
issue here (something I didn't want to state explicitly but Ragnarok
pointed out clearly) is that if something should run on your machine
you'd likely apply a patch to correct it...no? People applied a patch to
eliminate Code Red, Nimda, and so many others.

Ah, but what happens if the effects of "whatever" also muck about wit
this registry data? What do you do to check the integrity of the
registry if the tools you are using aren't able to do that on their own?
Remove all of the registry keys for all patches and re-apply all
patches???

UpdateExpert, like Windows Update, is unable to independently verify
what its looking at and whether a system is or isn't at a given patch
level. It only works as long as the system hasn't been tampered with.
That's a problem, and no, the problem's not isolated to rogue
Administrators.

Surely as the Principal Engineer you must have raised this issue several
times in the past internally. I can now state with certainty that many
security experts expect these keys to be part of the next big attack.
Are you just waiting to see if we're right or not?

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]