Sophos Cloud Optix
A security researcher has found a way to tinker with Windows’ core settings while persuading users to accept the changes, it emerged this week – and Microsoft has no intention of patching the issue.
The attack was discovered by John Page, who goes by the name hyp3rlinkx. It focuses on the Windows registry, which is a database of configuration settings for software programs, hardware devices, user preferences and the operating system itself.
Users can make changes to the registry using the Registry Editor program that ships with Windows, but this isn’t something that non-power users would normally do. Messing with the registry can cripple your machine or introduce security risks.
In most cases, when a Windows user really must make changes to the registry, they’ll do it by clicking on a file with a .reg extension. These files, provided by a trusted third party, alter the registry without the user having to enter anything.
This is why a dialog box appears when opening a .reg file, asking users if they trust the source and if they want to continue. It will then offer a ‘yes’ or ‘no’ choice.
Page’s attack changes that. In a document describing the process, he explains:
…we can inject our own messages thru the filename to direct the user to wrongly click “Yes”, as the expected “Are you sure you want to continue?” dialog box message is under our control.
He does this by using a carefully-crafted filename that uses characters encoded with the % symbol. The right character combination can delete the warning message and questions in the dialog box, replacing it with text that the attacker has put in the .reg filename. He continues:
This spoofing flaw lets us spoof the “Are you sure you want to continue?” warning message to instead read “Click Yes” or whatever else we like. Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them.
Users of older Windows versions may still get suspicious, because pre-Windows 10 versions present a second dialog box confirming the registry change. However, Page was able to get rid of that box in Windows 10 by including a character combination to indicate null at the end of the filename.
The attack works with non-privileged (that is, non-administrator) users. If attempted by a user with administrator privileges, it will launch a User Account Control (UAC) dialog box asking if they want to make changes to the machine, Page points out in his description. This means an attacker would have to bypass UAC somehow to successfully compromise a user with administrative privileges.
Microsoft wasn’t impressed, Page reported. The company told him:
A registry file was created with the title you suggested, but the error message was clear.
Threatpost received a response from Microsoft senior security director Jeff Jones, explaining:
The issue submitted does not meet the severity bar for servicing via a security update.
A successful registry change could enable an attacker to change a variety of settings including file associations, Control Panel settings, and windows components. The registry is also a popular destination for malware droppers, which can store code there enabling malware to persist by running automatically on startup.
Some Linux boot tools allow Windows reg edits, could be an issue as you can do them without account privilege. 🙂
If you have direct physical access, all bets are off. Back in the Win2K/WinXP days I had a diskette that booted Linux and ran a script to reset the machine’s Admin password to no password or to a password of choice.
This is a little different. If the user can be persuaded to install software from a remote source, system changes could be made.
If you’ve got Bitlocker turned on then a Linux boot won’t get you access to the C:\ drive where the registry hive files are stored… the data on the disk is just so much shredded cabbage without the passphrase.
My first thought after reading this article was to mitigate this with “Application Control”. However, I don’t see any application control option for ‘regedit.exe’ in Sophos Central policies.
Why is this?
Hopefully you’re quietly fixing this? I make this assumption simply because my comment above has not been published ;D
It’s indeed crazy not regarding it as a ‘severe threat’!
Waiting for Microsoft to say it’s a feature, not a bug.
What bug? It’s a feature, right?
Simply another case of improper escaping. There are many CVEs due to this class of programming omissions. Generally, if some characters in the text to be displayed cause another behavior than just displaying that text, this is always considered as unsafe.
Another example of poor scripted testing letting a potentially serious bug through. The developers who write the test scripts never think there are such security issues with the software they have written so they are the wrong people to be writing the scripts and running the tests. When I worked in a software house we did scripted testing followed by user-style testing – deliberately looking for loopholes and/or ‘gotchas’ that were not shown up by scripted testing. Adds time to the process but improves the quality of the software and safety for users. Why don’t they work like that now? To save money at users’ expense.
This man is no fun.
He should have demonstrated the vulnerability with the message “Would you like a free ice-cream?”