Outlook and others Set Program Access and Computer Defaults

2015.01.05
Credit: Stefan
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi @ll, in order to prevent the possible execution of a rogue program like "C:\Program.exe" or "C:\Program Files\Microsoft.exe", on x64 also "C:\Program Files.exe" or "C:\Program Files (x86)\Microsoft.exe", due to the beginner's error of using unquoted pathnames containing spaces (see <https://cwe.mitre.org/data/definitions/428.html>), Windows' [*] "Set Program Access and Computer Defaults" (SPAD, see <http://msdn.microsoft.com/library/cc144162.aspx>) hides programs that are registered with such erroneous and vulnerable command lines. For example Microsoft Outlook 2007, Microsoft Outlook 2010 as well as Microsoft Outlook 2013. If you have one of these versions of Microsoft Outlook installed but can't configure it with SPAD, export its registry entries with the erroneous and vulnerable command lines into a file OUTLOOK.REG: REGEDIT.EXE /A OUTLOOK.REG "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo" The file OUTLOOK.REG will look like this (the wildcard ? varies with your version of Outlook): --- OUTLOOK.REG --- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo] "IconsVisible"=dword:00000001 "HideIconsCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadhideicons" "ShowIconsCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadshowicons" "ReinstallCommand"="C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE /spadreinstall" --- EOF --- Open the file with your favorite editor and insert the string \" before and after (the 3 occurences of) the pathname C:\\Program Files\\Microsoft Office\\OFFICE1#\\OUTLOOK.EXE The corrected file should look like this: --- OUTLOOK.REG --- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\InstallInfo] "IconsVisible"=dword:00000001 "HideIconsCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadhideicons" "ShowIconsCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadshowicons" "ReinstallCommand"="\"C:\\Program Files\\Microsoft Office\\OFFICE1?\\OUTLOOK.EXE\" /spadreinstall" --- EOF --- Save your changes and import the file into the registry: REGEDIT.EXE /S OUTLOOK.REG Start SPAD again and find "Microsoft Office Outlook" now displayed as mail program. enjoy Stefan Kanthak [*] at least Windows 7, but I assume this behaviour was introcuded with Windows Vista; in earlier versions of Windows SPAD but displays applications with erroneous and vulnerable command lines and runs rogue programs! PS: will MSFT ever afford a QA that can find such bloody trivial beginner's errors?

References:

http://seclists.org/fulldisclosure/2015/Jan/3


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top