Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Award-winning computer security news

Microsoft won’t patch Windows registry warning problem

19 Mar 2019 11 Microsoft, Operating Systems, Organisations, Security threats, Vulnerability, Windows

Post navigation

Previous: Gargantuan Gnosticplayers breach swells to 863 million records
Next: New scam accuses you of child abuse, offers to remove evidence
by Danny Bradbury

A security researcher has found a way to tinker with Windows’ core settings while persuading users to accept the changes, it emerged this week – and Microsoft has no intention of patching the issue.

The attack was discovered by John Page, who goes by the name hyp3rlinkx. It focuses on the Windows registry, which is a database of configuration settings for software programs, hardware devices, user preferences and the operating system itself.

Users can make changes to the registry using the Registry Editor program that ships with Windows, but this isn’t something that non-power users would normally do. Messing with the registry can cripple your machine or introduce security risks.

In most cases, when a Windows user really must make changes to the registry, they’ll do it by clicking on a file with a .reg extension. These files, provided by a trusted third party, alter the registry without the user having to enter anything.

This is why a dialog box appears when opening a .reg file, asking users if they trust the source and if they want to continue. It will then offer a ‘yes’ or ‘no’ choice.

Page’s attack changes that. In a document describing the process, he explains:

…we can inject our own messages thru the filename to direct the user to wrongly click “Yes”, as the expected “Are you sure you want to continue?” dialog box message is under our control.

“With Sophos we’ve had zero ransomware infections”
Start an online demo of Sophos Intercept X in less than a minute.
Start an online demo

He does this by using a carefully-crafted filename that uses characters encoded with the % symbol. The right character combination can delete the warning message and questions in the dialog box, replacing it with text that the attacker has put in the .reg filename. He continues:

This spoofing flaw lets us spoof the “Are you sure you want to continue?” warning message to instead read “Click Yes” or whatever else we like. Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them.

Users of older Windows versions may still get suspicious, because pre-Windows 10 versions present a second dialog box confirming the registry change. However, Page was able to get rid of that box in Windows 10 by including a character combination to indicate null at the end of the filename.

The attack works with non-privileged (that is, non-administrator) users. If attempted by a user with administrator privileges, it will launch a User Account Control (UAC) dialog box asking if they want to make changes to the machine, Page points out in his description. This means an attacker would have to bypass UAC somehow to successfully compromise a user with administrative privileges.

Microsoft wasn’t impressed, Page reported. The company told him:

A registry file was created with the title you suggested, but the error message was clear.

Threatpost received a response from Microsoft senior security director Jeff Jones, explaining:

The issue submitted does not meet the severity bar for servicing via a security update.

A successful registry change could enable an attacker to change a variety of settings including file associations, Control Panel settings, and windows components. The registry is also a popular destination for malware droppers, which can store code there enabling malware to persist by running automatically on startup.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Home

Sophos Home
for Windows and Mac

Hitman Pro

Hitman Pro
 

Sophos Mobile Security for Android

Sophos Mobile Security
for Android

Virus Removal Tool

Virus Removal Tool

Antivirus for Linux

Antivirus
for Linux

Post navigation

Previous: Gargantuan Gnosticplayers breach swells to 863 million records
Next: New scam accuses you of child abuse, offers to remove evidence

11 comments on “Microsoft won’t patch Windows registry warning problem”

  1. Daniel Horner says:
    March 19, 2019 at 3:02 pm

    Some Linux boot tools allow Windows reg edits, could be an issue as you can do them without account privilege. 🙂

    Reply
    • Laurence Marks says:
      March 19, 2019 at 6:13 pm

      If you have direct physical access, all bets are off. Back in the Win2K/WinXP days I had a diskette that booted Linux and ran a script to reset the machine’s Admin password to no password or to a password of choice.

      This is a little different. If the user can be persuaded to install software from a remote source, system changes could be made.

      Reply
      • Paul Ducklin says:
        March 20, 2019 at 8:42 am

        If you’ve got Bitlocker turned on then a Linux boot won’t get you access to the C:\ drive where the registry hive files are stored… the data on the disk is just so much shredded cabbage without the passphrase.

        Reply
  2. Simon McAllister says:
    March 19, 2019 at 4:17 pm

    My first thought after reading this article was to mitigate this with “Application Control”. However, I don’t see any application control option for ‘regedit.exe’ in Sophos Central policies.
    Why is this?

    Reply
    • Simon McAllister says:
      March 20, 2019 at 9:51 am

      Hopefully you’re quietly fixing this? I make this assumption simply because my comment above has not been published ;D

      Reply
  3. Philip says:
    March 19, 2019 at 6:40 pm

    It’s indeed crazy not regarding it as a ‘severe threat’!

    Reply
  4. Anonymous says:
    March 19, 2019 at 7:13 pm

    Waiting for Microsoft to say it’s a feature, not a bug.

    Reply
  5. L B says:
    March 19, 2019 at 7:15 pm

    What bug? It’s a feature, right?

    Reply
  6. Ondrej Holas says:
    March 20, 2019 at 9:01 am

    Simply another case of improper escaping. There are many CVEs due to this class of programming omissions. Generally, if some characters in the text to be displayed cause another behavior than just displaying that text, this is always considered as unsafe.

    Reply
  7. MikeP_UK says:
    March 20, 2019 at 11:59 am

    Another example of poor scripted testing letting a potentially serious bug through. The developers who write the test scripts never think there are such security issues with the software they have written so they are the wrong people to be writing the scripts and running the tests. When I worked in a software house we did scripted testing followed by user-style testing – deliberately looking for loopholes and/or ‘gotchas’ that were not shown up by scripted testing. Adds time to the process but improves the quality of the software and safety for users. Why don’t they work like that now? To save money at users’ expense.

    Reply
  8. Niall says:
    March 20, 2019 at 2:04 pm

    This man is no fun.
    He should have demonstrated the vulnerability with the message “Would you like a free ice-cream?”

    Reply

Leave a Reply Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Google photo

You are commenting using your Google account. ( Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

Recommended reads

May22
by John E Dunn
26

Don’t break Windows 10 by deleting SID, Microsoft warns

Oct09
by John E Dunn
31

Microsoft hits the brakes on latest Windows 10 update – what to do

Nov06
by Paul Ducklin
29

Microsoft warns Windows users of zero-day danger from booby trapped image files

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • SafeGuard Encryption
  • XG Firewall
  • Sophos Wireless
  • Sophos Email
  • Cloud Optix
  • Sophos Mobile
  • Phish Threat
  • UTM
  • Secure Web Gateway
© 1997 - 2019 Sophos Ltd. All rights reserved. Powered by WordPress.com VIP