msiscan in github
A python script that runs on Linux. That's great, unless you are windows-only admin in prod ops. The sort of people that need this most. Now I have to stay up all night and figure out how I'm going to do this in PowerShell.
In this week's Patch Tuesday Microsoft alerted users to, among other vulnerabilities, a flaw in Windows Installer that can be exploited by malware or a rogue user to gain SYSTEM-level privileges to hijack a PC. The vulnerability, CVE-2024-38014, was spotted and privately disclosed by security shop SEC Consult, which has now …
Not sure if serious or not. However there is a Python for windows installer.
https://www.python.org/downloads/windows/
You could even wrap the install, script execution, and subsequent Python uninstall in a PowerShell script. I bet ChatGPT could smash that out in a one sentence prompt.
Not trying to be snarky - hopefully helpful.
While this obviously takes it to a whole new level, I have seen similar problems with program installations with the "Launch (app name)" after installation (or updating) completes. In many cases, it leads to a running program which cannot interact with user-context activities, such as accessing a user's mapped drives or dragging and dropping from an Explorer window, etc. For my purposes, this has always been an annoyance, never considering under what user context the launched program was running.
Also, I though we blocked the ability to launch programs like CMD.EXE and COMMAND.COM from a browser back in the 1999 when people were using the file:// URI to break out of kiosks and similarly locked-down systems. Should we also shame Firefox for kicking security vulnerabilities old-school?
(I remember using this trick on billing and sales kiosks at ComCast and Sprint stores in the mall to do silly things.)
I just tried to open C:\WINDOWS\System32\cmd.exe in Firefox and it didn't open the command prompt but asked if I wanted to download the file. I also tried to furtle the settings but I couldn't find a way of making exe files launch instead of download.
Maybe launching Firefox as System makes it set up a new profile with defaults which allows this, who knows...
This post has been deleted by its author
It seems to be that the installer launches the browser as an elevated process, and that the browser then uses the Windows standard file dialog (in the same user context), which itself has a flaw which allows the user to run an arbitrary command through the address bar.
It's a bit unfair to single out Firefox in this instance, since it is doing exactly what it has been asked to do (open a web page in a specific user context) and then has allowed the user to do something else sensible (use the standard Windows dialog to get a file to open when the user asks to open a file).
There are two pretty obvious flaws here:
1) The installer (running as an admin user) uses that user context to open the browser, and not the user context of the user that started the installer (presumably before being asked for admin credentials). That's a flaw in the installer, or the installer tooling that allows this; essentially using its elevated credentials to fire off an arbitrary external process. On this note, I wonder what would happen if the user were to set any other arbitrary program as the system's default browser? Would that get launched with admin credentials?
2) The system file open dialog allows the user to do things other than just select a file. That's an example of unwanted "feature creep". In this case, it's allowing the user to launch an arbitrary third process (cmd.com). It also allows other things like directory creation, that are not strictly file-opening related.
Is Google Search getting seriously dumber?
I was wondering about the "Linux script" rant and decided to look it for myself.
My exact search was `"msiscan" github`, after Google first "corrected" the repo name for me.
Google replies: "It looks like there aren't many great matches for your search" although it does find this article along the way.
Bing - shudder - finds it right away.
What the eff? Not the first time Google drops the ball. Are they losing their lead while faffing over LLM-powered searches?
p.s. the reason for Python-on-WSL is that the script relies on some apt-installed package, `msitools`.
https://github.com/sec-consult/msiscan
> Install the (apt) package msitools. It contains msiinfo and msiextract that are needed as well.
Imagine what would happen if MS had not existed. Someone else's OS would have become the de facto OS used by businesses. The same marketing and sales people would have taken over, and added ill thought-out "features" to that instead. Meanwhile, black-hats, not having Windows as the main target to focus on, would have gone round finding software flaws in whatever the mainstream OS that took its place would be. If you think Microsoft's offerings are unusual in the number of programming flaws that make it to production, I have news for you about the nature of software development. In some ways, MS development processes are quite well thought-out, so the chances are that what we'd have instead would be a lot less disciplined, and hence a lot worse.
Having said all that, I have no particular love for MS, but blaming them for the existence of software flaws is going a bit too far. Windows is full of badly-written bloatware, yes, but I raise you SYSTEMD.