Windows Registry Bug That Hides Keys And Values - 26 August 2005

  • Thread starter Thread starter Mel
  • Start date Start date
M

Mel

Yesterday, the Internet Storm Center has reported about a problem with
the Registry of Windows, where long keys or value names (longer than 255
characters) would be hidden from regedit.exe and probably other parts of
Windows.

Since according to the ISC, it has been reported that Spybot-S&D
(including our resident protection named TeaTimer) may not be able to
deal with these overlong entries, we have created a series of tests with
keys and values with more than 255 characters, and have found no
problems in Spybot-S&D's handling of these. Furthermore, since
regedit.exe was not able to deal with all these keys, we had to use
RegAlyzer to apply these entries, thus verifying at the same time that
our own registry editor RegAlyzer will correctly process and display
these entries.

RegAlyzer is a tool to browse and change the registry.

http://www.safer-networking.org/en/regalyzer/index.html
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yesterday, the Internet Storm Center has reported about a problem with
the Registry of Windows, where long keys or value names (longer than 255
characters) would be hidden from regedit.exe and probably other parts of
Windows.

Since according to the ISC, it has been reported that Spybot-S&D
(including our resident protection named TeaTimer) may not be able to
deal with these overlong entries, we have created a series of tests with
keys and values with more than 255 characters, and have found no
problems in Spybot-S&D's handling of these. Furthermore, since
regedit.exe was not able to deal with all these keys, we had to use
RegAlyzer to apply these entries, thus verifying at the same time that
our own registry editor RegAlyzer will correctly process and display
these entries.

RegAlyzer is a tool to browse and change the registry.

http://www.safer-networking.org/en/regalyzer/index.html
Click to expand...

"SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert
System - Current Infosec News and Analysis"
http://isc.sans.org/diary.php


Relevant diaries (at time of post):
http://isc.sans.org/diary.php?date=2005-08-24
http://isc.sans.org/diary.php?date=2005-08-25


- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDDzcB7uRVdtPsXDkRAvPfAJ9wkSdB5rp+ySEgxYUUe47b1uTVPwCfdNHn
johMT/Ov/Xv2QRVSOeF4uiU=
=5FZE
-----END PGP SIGNATURE-----
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks for the additional information. :-)
Click to expand...

yw. ISC is daily reading for me...*tries to think of it's relevance to
a.c.f...oh I know: ISCAlert from http://isc.sans.org/infocon.php ;-)

- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDD0gn7uRVdtPsXDkRAgvzAKCjepk91yRBPOfv1igsI1/LtCYM5wCfUVdF
EfFZ9Sd3+2pdsYxVW00bR4U=
=R+up
-----END PGP SIGNATURE-----
 
Adam said:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



yw. ISC is daily reading for me...*tries to think of it's relevance to
a.c.f...oh I know: ISCAlert from http://isc.sans.org/infocon.php ;-)
Click to expand...
From the site:
Spybot-S&D stated that their product is able to check values with long
names. Our further testing today, indicates that RegAlyzer 1.1 and
Spybot-S&D 1.4 (under the tools -> System Startup section in advanced
mode) both do, in fact, see the values with long names and all
subsequent values. Our diary yesterday quoted a user experiencing no
alert from Spybot, however, we assume, at this point, that the value
that he used along with the long name did not include a signature for
which Spybot-S&D issues alerts.

GA
 
In Mel typed:
Yesterday, the Internet Storm Center has reported about a problem with
the Registry of Windows, where long keys or value names (longer than
255 characters) would be hidden from regedit.exe and probably other
parts of Windows.
Click to expand...

So what else is new.

"... an attacker can't hide anything without first breaking into a system.
"This issue could not allow an attacker to remotely or locally attack a
user's computer," the Microsoft representative said. "Rather, the attacker
would already have to have compromised the computer or convinced the
computer user to run malicious software."
According to Microsoft, the issue is not a security vulnerability, but a
function within the operating system that could be misused. Microsoft said
it is not aware of the trick being employed to hide software."
http://news.com.com/Flaw+may+hide+m...3-5843863.html?part=rss&tag=5843863&subj=news

DanlK, FYI Services Collectibles
www.FYIS.org
 
Back
Top