Sunday, October 21, 2007

Windows Vista important security announcement

It's come to my attention that there is a serious security issue in Windows Vista that all users should be aware of. It involves the use of Unicode characters to change the way that a filename appears in the explorer and desktop to make a dangerous executable in screensaver (.scr) format appear to be a harmless JPG. This vulnerability doesn't appear to exist in XP, only Vista. The following screenshots, as captured by Max Ried, demonstrate the vulnerability and show how serious the problem is.

The file on the XP desktop: The file on the Vista desktop:

As you can see the only way to identify it as not being just a picture is by hovering your mouse over it. It appears to me that this is done by using a particular character, which is actually 2 Unicode characters, one being the circle of commas, the other being the code which causes everything after it to be typed backwards. You can see how it works by copying the character, and pasting it into any text entry box, such as notepad.exe, then start typing right after you paste it. The character is at the bottom of this post as it becomes very hard to type forwards if pasted anywhere in the middle of the article. It looks like the filename is made up of the code to insert the gpj. backwards at the end of the filename (or appear as such to the viewer,) and then the actual filename, Nice Picture.scr. Apparently XP is not affected because it does not correctly support Unicode for filenames within explorer.exe and therefore the desktop. This vulnerability was first demonstrated at Heise Security and adapted here to include my additional data on the cause.

Another view of the problem in the 7Zip program, first in XP:

And in Vista:

And now the character I believe is responsible, along with the character that makes it possible to copy and paste it, otherwise the character doesn't take up any space and therefore can't be highlighted to copy, it would just cause everything you typed after it to be backwards, as I'll demonstrate here:


this is what happens after you paste and start typing

No comments: