Made Me Laugh
Thursday 25th May, 2006 09:06 Comments: 0
I was reading about an alleged vulnerability in Windows and thought to myself "that sounds wrong". The person says (in a nutshell) you either have to:
a) replace logon.scr with a malicious screensaver
b) edit some registry keys to point the default screensaver to a malicious file
The problem with "a" is that you need to already be on the system to replace the file (i.e. an authenticated user) unless you've got direct access to the hard drive (in which case you can do what you like), and every other user on that system will see your malicious file - not very subtle. The problem with "b" is that only an Administrators group account (or SYSTEM) can edit the key to point it at another executable.
I was so annoyed that I thought about replying, but it turns out two people have already replied (see the links at the bottom of that page) and pointed out my thoughts. I did like the more subtle suggestion of replacing the sticky keys executable with cmd.exe (again, relies on an Admin or SYSTEM account), useful if you can temporarily gain the right privileges and want to be able to get back into a system again without leaving an obvious local admin account on a box.
I've already stopped reading XSS reports from one person, perhaps I'll have to start a blacklist of people that I should just delete emails from as they arrive in my inbox.
a) replace logon.scr with a malicious screensaver
b) edit some registry keys to point the default screensaver to a malicious file
The problem with "a" is that you need to already be on the system to replace the file (i.e. an authenticated user) unless you've got direct access to the hard drive (in which case you can do what you like), and every other user on that system will see your malicious file - not very subtle. The problem with "b" is that only an Administrators group account (or SYSTEM) can edit the key to point it at another executable.
I was so annoyed that I thought about replying, but it turns out two people have already replied (see the links at the bottom of that page) and pointed out my thoughts. I did like the more subtle suggestion of replacing the sticky keys executable with cmd.exe (again, relies on an Admin or SYSTEM account), useful if you can temporarily gain the right privileges and want to be able to get back into a system again without leaving an obvious local admin account on a box.
I've already stopped reading XSS reports from one person, perhaps I'll have to start a blacklist of people that I should just delete emails from as they arrive in my inbox.