Microsoft Antispyware Mystery Windows Revealed

[Max Burke]

Microsoft Antispyware Mystery Windows Revealed
http://news.yahoo.com/news?tmpl=story&u=/zd/20050412/tc_zd/149795

-----------------------------------------------------------
Quote
-----------------------------------------------------------
Tue Apr 12, 8:47 AM ET

Neil J. Rubenking - PC Magazine

Monday's [April 11] edition of the Full-disclosure security e-mail
newsletter reported an odd discovery. One of the group's members was
configuring a system for multiple monitors and happened to set up the
second monitor to the left of the main screen. He was surprised to find a
peculiar-looking window on the secondary screen sporting several copies of
the Microsoft Antispyware icon and some oddly-titled, overlapping buttons.
Clicking the buttons affected the tool's tray icon tooltip, and closing the
window closed down Microsoft Antispyware. The newsletter authors wondered
aloud if this represented any kind of vulnerability, a reasonable question
since some malicious programs rely on hidden windows.

PC Magazine investigated and found that the window does indeed exist,
positioned using negative coordinates so that it would normally be hidden
from view. On our test system the window was found at -333,-333. Another
window was placed off-screen to the right of the visible area, at 1204,875
on a 1024x768 display. This one was literally hidden?its "visible" property
was set to "False."

Microsoft's product is built on GIANT Company Antispyware, which they
acquired in December of 2004. Sunbelt Software's CounterSpy is derived in
part from the same source, so we put it under the microscope, as well. We
found a near-identical pair of hidden windows, differing only in the window
titles and the icons used.

Sunbelt representatives verified that the windows are used to store icon
resources and to keep the antispyware ActiveX control resident in memory.
Future versions will use a more elegant technique, but since the hidden
windows are harmless, this particular update isn't a top priority. Given
the growing popularity of multiple monitor configurations, programmers in
general will want to think twice about hiding windows by placing them
outside the normal viewing area.

 

[Bill Sanderson]

And I'm sure the Microsoft developers would say something similar. I'd bet
that we will see revised code from Microsoft before Sunbelt. Recheck this
issue when beta2 is released.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Microsoft Antispyware Mystery Windows Revealed
http://news.yahoo.com/news?tmpl=story&u=/zd/20050412/tc_zd/149795

-----------------------------------------------------------
Quote
-----------------------------------------------------------
Tue Apr 12, 8:47 AM ET

Neil J. Rubenking - PC Magazine

Monday's [April 11] edition of the Full-disclosure security e-mail
newsletter reported an odd discovery. One of the group's members was
configuring a system for multiple monitors and happened to set up the
second monitor to the left of the main screen. He was surprised to find a
peculiar-looking window on the secondary screen sporting several copies of
the Microsoft Antispyware icon and some oddly-titled, overlapping buttons.
Clicking the buttons affected the tool's tray icon tooltip, and closing
the
window closed down Microsoft Antispyware. The newsletter authors wondered
aloud if this represented any kind of vulnerability, a reasonable question
since some malicious programs rely on hidden windows.

PC Magazine investigated and found that the window does indeed exist,
positioned using negative coordinates so that it would normally be hidden
from view. On our test system the window was found at -333,-333. Another
window was placed off-screen to the right of the visible area, at 1204,875
on a 1024x768 display. This one was literally hidden?its "visible"
property
was set to "False."

Microsoft's product is built on GIANT Company Antispyware, which they
acquired in December of 2004. Sunbelt Software's CounterSpy is derived in
part from the same source, so we put it under the microscope, as well. We
found a near-identical pair of hidden windows, differing only in the
window
titles and the icons used.

Sunbelt representatives verified that the windows are used to store icon
resources and to keep the antispyware ActiveX control resident in memory.
Future versions will use a more elegant technique, but since the hidden
windows are harmless, this particular update isn't a top priority. Given
the growing popularity of multiple monitor configurations, programmers in
general will want to think twice about hiding windows by placing them
outside the normal viewing
area. -----------------------------------------------------------
Unquote
-----------------------------------------------------------

--
(e-mail address removed)
Replace the obvious with paradise.net to email me
Found Images
http://homepages.paradise.net.nz/~mlvburke

 

[Max Burke]

Bill Sanderson scribbled: And I'm sure the Microsoft developers would say

something similar. I'd bet that we will see revised code from Microsoft
before Sunbelt. Recheck this issue when beta2 is released.

I've finished my my beta testing 'program' for the time being, and have
uninstalled MSAS.

IMO there are to many minor but annoying bugs to rely on it as a
'production' anti spyware tool....


I now await the final release of MSAS...

 

[Bill Sanderson]

I suspect that beta2 will look quite different, and hope you will give it a
test as well. I can't give you a date for when it'll be available, though.