This shell extension is trying to detour the operating system, and it failed. (Note that Windows does not support apps detouring the operating system. This shell extension has exited into unsupported territory.)

Some debug-stepping later it turns out it’s… JSON!

Of course it is. But a really solid reversing effort. And a nice fix.

source: HN

This blog post is an in-depth dive into the security features of the Intel/Windows platform boot process. In this post I’ll explain the startup process through security focused lenses, next post we’ll dive into several known attacks and how there were handled by Intel and Microsoft. My wish is to explain to technology professionals not deep into platform security why Microsoft’s SecureCore is so important and necessary.

Not exclusive to Windows systems, lots of PC platform details.

source: grugq

BitLocker is a modern data protection feature that is deeply integrated in the Windows kernel. It is used by many corporations as a means of protecting company secrets in case of theft. Microsoft recommends that you have a Trusted Platform Module which can do some of the heavy cryptographic lifting for you.

If we smash shift 5 times in quick succession, a link to open the Settings app appears, and the link actually works. We cannot see the launched Settings app. Giving the launched app focus is slightly tricky; you have to click the link and then click a place where the launched app would be visible with the correct timing. The easiest way to learn to do it is, keep clicking the link roughly 2 times a second. The sticky keys windows will disappear. Keep clicking! You will now see a focus box is drawn in the middle of the screen. That was the Settings app, and you have to stop clicking when it gets focus.

Accessibility UX wins again.

source: HN

I start by downloading the processor documentation from the manufacturer and reading through the entire instruction set. That teaches me about the processor architecture in general. The next step is seeing how Windows uses it.

That part usually starts with digging out the Windows NT installation CD for the relevant architecture and extracting the NOTEPAD.EXE program. I choose Notepad because it’s relatively small, or at least it was relatively small at the time. Furthermore, I have an old copy of the source code, which makes the reverse-compiling easier. The source code I have doesn’t always perfectly match the build of Windows that the CD was created from, but it’s usually close enough.

This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild.

At Project Zero we often refer to our goal simply as “make 0-day hard”. Members of the team approach this challenge mainly through the lens of offensive security research. And while we experiment a lot with new targets and methodologies in order to remain at the forefront of the field, it is important that the team doesn’t stray too far from the current state of the art. One of our efforts in this regard is the tracking of publicly known cases of zero-day vulnerabilities. We use this information to guide the research. Unfortunately, public 0-day reports rarely include captured exploits, which could provide invaluable insight into exploitation techniques and design decisions made by real-world attackers. In addition, we believe there to be a gap in the security community’s ability to detect 0-day exploits.

Chrome: Infinity Bug - https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html

Chrome Exploits - https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html

Android Exploits - https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html

Android Post-Exploitation - https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html

Windows Exploits - https://googleprojectzero.blogspot.com/2021/01/in-wild-series-windows-exploits.html

So the issue is such: If you have a joystick plugged in, and the GeForce Experience overlay enabled, your display will not sleep. If you unplug the joystick, the display sleeps. If you disable the overlay, the display sleeps. You can have one or the other - but not both. People hadn’t just tracked the issue down - people tracked it down 3 years ago!

But now for the deep dive disassembly to find and fix the bug. Solid work.

source: HN

The behavior of the Windows scheduler changed significantly in Windows 10 2004, in a way that will break a few applications, and there appears to have been no announcement, and the documentation has not been updated. This isn’t the first time this has happened, but this change seems bigger than last time.

The short version is that calls to timeBeginPeriod from one process now affect other processes less than they used to, but there is still an effect.

The CharUpper function tries to convert the string in place, but if the uppercase and lowercase versions of a character are not the same length, then it panics and does something strange.

Also: https://devblogs.microsoft.com/oldnewthing/20200803-00/?p=104038

What we have here is a case of creating an insecure system and then being surprised that the system is insecure.

This is all too common, but the fix is equally shortsighted. Always too much focus on narrow aspect of the problem.

They claimed that the issue could be fixed by simply adding the ampersand to the list of illegal file name characters. They forgot about the percent sign (for injecting environment variables), the caret (for escaping), and possibly even the apostrophe.

A few months back, there was a post on Reddit (link), which described a game that used an open source clone of Notepad to handle all its input and rendering. While reading about it, I had the thought that it would be really cool to see something similar that worked with stock Windows Notepad. Then I spent way too much of my free time doing exactly that.

I ended up making a Snake game and a small ray tracer that use stock Notepad for all input and rendering tasks, and got to learn about DLL Injection, API Hooking and Memory Scanning along the way. It seemed like writing up the stuff I learned might make for an interesting read, and give me a chance to show off the dumb stuff I built at the same time, so that’s what these next couple blog posts will be about.

source: HN

Avast will no longer collect or sell its users’ internet browsing data

...after getting caught.

Somewhat old, but deserves a spot in the archive of malfeasance.

source: cox

People think it’s weird that I do all my development on a Windows machine. It’s definitely a second-class citizen experience in the wider development world, and Windows has a lot of really frustrating issues, but it’s still my favorite operating system. This is for exactly one reason: AutoHotKey.

AHK is an engine for mapping keystrokes to scripts. I wouldn’t call it particularly elegant, and it’s filled with tons of redundancy and quirks. Even its fans admit how nasty the language can be. But it hooks into the whole Windows system and makes it easy to augment my workflow. It’s given me a far greater degree of control over my computer than I ever managed to achieve with another OS.

source: L

This investigation started, as so many of mine do, with me minding my own business, not looking for trouble. In this case all I was doing was opening my laptop lid and trying to log on. The first few times that this resulted in a twenty-second delay I ignored the problem, hoping that it would go away. The next few times I thought about investigating, but performance problems that occur before you have even logged on are trickier to solve, and I was feeling lazy. When I noticed that I was avoiding closing my laptop because I dreaded the all-too-frequent delays when opening it I realized it was time to get serious.

A lot of effort for a rather unsatisfactory conclusion, but I won’t spoil the surprise.

So you tell me: Was this somebody carrying out an elaborate prank or somebody who simply didn’t understand what they were doing?

Whether it was intended as such or not, this ended up being an effective denial-of-service attack against me personally, since I ended up spending quite a bit of time watching the videos closely, then reverse-engineering what the finder believed the vulnerability to be, and then studying the videos again to find out where they went wrong.

I was feeling frustrated just reading the story.

Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical, and easily accessible to remote attackers.

source: grugq

In Windows 3.0, the data segment that recorded the locations of all the other data segments was named the BurgerMaster.

The Burgermaster restaurant was so important that Bill Gates’s secretary kept it on speed dial. In fact, it wasn’t just on speed dial for Bill Gates’s secretary. It was a company-wide speed dial number. You could call them to order a burger, walk next door, and your order would be ready and waiting for you.

This post is a quick day one recap of what we know so far about CVE-2020-0601, what Microsoft has dubbed the Windows CryptoAPI Spoofing Vulnerability. I haven’t heard a catchy name yet, so I vote for Chain of Fools with a dutiful nod to the queen of soul, Aretha Franklin. The analyses presented (my own included) are only as good as the information we have on hand, which so far is still fairly thin on technical details. This is by no means intended to be exhaustive or authoritative, just a curated selection of information sources from people who are technically credible or experts in the field.

Also: https://blog.trailofbits.com/2020/01/16/exploiting-the-windows-cryptoapi-vulnerability/

https://whosecurve.com/

https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/

https://medium.com/zengo/win10-crypto-vulnerability-cheating-in-elliptic-curve-billiards-2-69b45f2dcab6

source: green

The breach last March would ultimately affect all 35,000 Norsk Hydro employees across 40 countries, locking the files on thousands of servers and PCs. The financial impact would eventually approach $71 million.

All of that damage had been set in motion three months earlier when one employee unknowingly opened an infected email from a trusted customer. That allowed hackers to invade the IT infrastructure and covertly plant their virus.

This is kinda fluffy, but somewhat interesting.

source: grugq

With the release of macOS 10.15 (Catalina), Apple has dropped support for running 32-bit executables and removed the 32-bit versions of system frameworks and libraries. Most Windows applications our users run with CrossOver are 32-bit and CrossOver uses a 32-bit Mac executable, system frameworks, and libraries to run them. This will break with Catalina.

And then comes the fun part:

We have built a modified version of the standard C language compiler for macOS, Clang, to automate many of the changes we need to make to Wine’s behavior without pervasive changes to Wine’s source code.

First, our version of Clang understands both 32- and 64-bit pointers. We are able to control from a broad level down to a detailed level which pointers in Wine’s source code need to be 32-bit and which 64-bit. Any code which substitutes for Windows at the interface with the Windows app has to use 32-bit pointers. On the other hand, the interfaces to the system libraries are always 64-bit.

source: grugq