[German]Last week, the Microsoft Desktop Optimization Pack (MDOP) July 2018 Service Release was published. Today I like to take a brief look at the MDOP/MBAM update KB4340040 under security aspects.
Microsoft Desktop Optimization Pack (MDOP) Update
The Microsoft Desktop Optimization Pack (MDOP) is intended for administrators in the Windows environment who have a Software Assurance contract. It is a portfolio of technologies available as a subscription for Software Assurance customers. MDOP is designed to help improve compatibility and management, reduce support costs, improve asset management and improve policy control. On July 11, 2018, Microsoft released the Microsoft Desktop Optimization Pack (MDOP) July 2018 Service Release. I wrote about update KB4340040 within my blog post Microsoft Desktop Optimization Pack (MDOP) July 2018 Service Release.
Use the .msi Installer for security reasons!
I also mentioned within my blog post, that Microsoft provides the installer both as an .exe file and as an .msi installation file. Within my blog post I had recommended to use the .msi installation file for security reasons. The .exe installers often unpack the installation files into temporary folders before starting the installation with administrator rights. However this is bad ‘programming practice’, because it a potential security risk (for DLL hijacking) and should be avoided. Also Microsoft is aware of that and provided many hints not to do that in some ‘does and don’t programming articles’-
Vulnerabilities in MDOP/MBAM
I informed German security researcher Stefan Kanthak about the blog post and he investigated the MDOP/MBAM .exe installers. Then he contacted the Microsoft Security Research Team (MSRC).
> From: Stefan Kanthak
> Received: Sun Jul 15 2018 03:40:19 GMT-0700 (Pacific Daylight Time)
> To: <Microsoft Security Response Center>; Microsoft Security Response Center; Microsoft Security Response Center
> Cc: ….; CERT; CERT/CC; email@example.com; ….
> Subject: KB4340040: multiple vulnerabilities allow escalation of privilege CRM:0461057028
> Hi, you just released “July 2018 servicing release for Microsoft Desktop Optimization Pack” The executable installers
MBAM2.5_Client_x64_KB4340040.exe MBAM2.5_Client_x86_KB4340040.exe MBAM2.5_X64_Server_KB4340040.exe
you offer for download from are but VULNERABLE!
1. All three executable installers are vulnerable to DLL hijacking: they load multiple system DLLs from their “application directory”, typically the user’s “Downloads” directory %USERPROFILE%\Downloads\, instead from Windows’ “systemdirectory” %SystemRoot%\System32\, resulting in arbitrary code execution. On a fully patched Windows 7 SP1,
MBAM2.5_Client_x64_KB4340040.exe and MBAM2.5_Client_x86_KB4340040.exe
load AT LEAST the following rogue DLLs: msls31.dll, propsys.dll, ntmarta.dll, version.dll, secur32.dll
On a fully patched Windows 7 SP1, BAM2.5_X64_Server_KB4340040.exe loads AT LEAST the following rogue DLLs: uxtheme.dll, cabinet.dll, msi.dll, version.dll For this well-known and well-documented BEGINNER’S ERROR
That’s what I’ve had in mind, as I mentioned to avoid the .exe installers. Stefan Kanthak refers the MSRT in his mail to his own Microsoft documentation or guidelines, which outlaws such things. I recently received an e-mail from Stefan Kanthak with the MSRC team’s answer. First, Microsoft’s security team confirmed that KB4340040 contains multiple vulnerabilities allowing escalation of privilege and escalated the case internally for review. Then they came out with the confirmation of security breaches:
From: “Microsoft Security Response Center” <firstname.lastname@example.org>
To: “Microsoft Security Response Center” <email@example.com>; “Stefan Kanthak”
Sent: Monday, July 16, 2018 9:37 PM
[Stefan wrote:] for your information: as expected, the MSRC confirms these BLOODY BEGINNERS ERROR in the latest MDOP/MBAM update KB4340040, but writes that no security fix will be released.
“Defense in depth — the Microsoft way” … oder “trustworthy computing” was yesterday …
Unfortunately, “DLL spoofing” has been known since the day before yesterday, see <https://skanthak.homepage.t-online.de/ntintrotosec.html> This is a short version of the NSA Guide written by the same author. <http://fy.chalmers.se/~appro/nt/nsaguide.pdf>; see pages 105/106 there
That’s odd! Microsoft has released a ton of programmers guide lines, that recommend to avoid this programming practice. But their own developers are ignoring those good programming practice guidelines. I’ve mentioned several cases with Skype installer and Office Ose.exe installer for instance within my German blog.