[403] in Best-of-Security
BoS: Microsoft hit with NT registry security flaw
daemon@ATHENA.MIT.EDU (Con Zymaris)
Fri Oct 17 00:07:44 1997
Date: Wed, 15 Oct 1997 09:11:19 +1000
From: Con Zymaris <conz@cyber.com.au>
Reply-To: conz@cyber.com.au
Old-X-Originally-To: To: cyber@cyber.com.au
Old-X-Originated-From: From: Con Zymaris <conz@cyber.com.au>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Microsoft hit with NT registry security flaw
By Bob Trott
InfoWorld Electric
Posted at 2:10 PM PT, Oct 14, 1997
A security flaw has been discovered in Windows NT that allows devious
users to install a Trojan horse
program that could potentially wreak havoc on a system, or give the
user administrative rights.
The hole in NT's default registry system -- which confers special
access privileges in the Everyone setting -- is
essentially a "backward compatibility" problem that stems from
upgrading Windows 3.1 and Windows for
Workgroups systems to NT, according to David LeBlanc, senior Windows
NT security manager at Internet
Security Systems (ISS), in Atlanta.
"You can add an executable in there and the system would run it on
start-up," LeBlanc said Tuesday. "That's
what it's meant for, but the problem is that you could look at the
permissions on that key, and it's giving full
control to everyone, and anyone could add items in that. You're
supposed to be tweaking the settings back to
where they really should have been in the first place, but most people
are not going to know this."
"This means that any user with access to that machine could install a
program that runs when the computer
starts up, and this could allow somebody to install a Trojan horse,"
LeBlanc said.
To plug the security hole, Microsoft recommends editing the Registry
so that "Everyone" in NT's permissions
security setting has read-only access. Microsoft posted an article on
the flaw at
http://support.microsoft.com/support/kb/articles/q126/7/13.asp.
LeBlanc, along with officials at Axent Technologies, based in
Rockville, Md., notified Microsoft about the
potential security breach. Microsoft officials did not immediately
return phone calls seeking comment.
ISS' Internet Security Scanner 5.0, the next version of its security
software due out by the end of the year,
will scour registries for the NT problem as well as others, LeBlanc
said.
Microsoft Corp., in Redmond, Wash., can be reached at
http://www.microsoft.com/. Internet Security
Systems Inc. can be reached at http://www.iss.net/. Axent Technologies
Inc. can be reached at
http://www.axent.com/.
