[German]Microsoft offers the new Chromium-based Edge Browser since a few days now. However, the security of the provided Windows installer is quite poor.
Advertising
It was another 'harmless' mail I received from German security expert Stefan Kanthak. He asked me about the new Chromium based Edge browser from Microsoft:
have you already installed MicrosoftEdgeSetup.exe on Windows 7?
The installation program (a self-extractor) is once again industrial-
common insecure and broken junk… #
At this point I was curious and wanted to test it myself. So I quickly downloaded the installer and copied it into my test bed.
The test bed is provided by Stefan Kanthak, who deals with such security issues. You can download the file Forward.cab from his website and extract it into a folder. There is also a Sentinel.exe, which also need to be copies into this folder. The folder is then the test bed.
Note: If a virus scanner raise an alarm during visiting Kanthak's website: He delivers the Eicar test virus in a data block attribute on its website to test whether browsers evaluate it and load it into memory for execution. A virus scanner should then be activated.
Installer Security Issues
With regard to the setup program (.exe file), Stefan Kanthak describes the following topics that caught my attention:
- 0. Only plus point: it does not request administrator rights at start-up;
- 1. but it loads at least VERSION.dll from its "application directory";
However, when I listed the setup file MicrosoftEdgeSetup.exe, it wanted administrator privileges through User Account Control. There was also no alert when running it in my testbed.
After an exchange of a mail with Stefan Kanthak, the facts were clear. The Edge Setup file that loads the browser from the Internet does not need administrator rights. Rather, the program loads and unpacks the files needed for the Edge into a temporary directory before running. So it was clear why the testbed did not work. I then launched the downloaded setup exe file with the command:
Advertising
MicrosoftEdgeSetup.exe /?
The installer and unpacker does not support options, but tries to call certain DLLs. And there I already got several warnings (see following picture) that DLL files would be reloaded from the current directory.
So the installer is vulnerable to DLL hijacking at least during unpacking. I have already warned here in the blog about several tools with such vulnerabilities. Unfortunately, Microsoft is also often present with their installers.
Unpack/dowload to a temp directory
Stefan Kanthak then noticed that the installer writes the files into the Temp folder of the user profile when it is executed:
it creates a subdirectory EUT<abcd>.tmp in the %TEMP% folder, in
that it unpacks its payload (see following list):…\EU753E.tmp\MicrosoftEdgeUpdate.exe
…\EU753E.tmp\msedgeupdate.dll
…\EU753E.tmp\MicrosoftEdgeUpdateBroker.exe
…\EU753E.tmp\MicrosoftEdgeUpdateOnDemand.exe
…\EU753E.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
…\EU753E.tmp\MicrosoftEdgeComRegisterShellARM64.exe
…\EU753E.tmp\psmachine.dll
…\EU753E.tmp\psmachine_64.dll
…\EU753E.tmp\psmachine_arm64.dll
…\EU753E.tmp\psuser.dll
…\EU753E.tmp\psuser_64.dll
…\EU753E.tmp\psuser_arm64.dll
…\EU753E.tmp\NOTICE.TXT
…\EU753E.tmp\MicrosoftEdgeUpdateCore.exe
…\EU753E.tmp\msedgeupdateres_am.dll
…
…\EU753E.tmp\msedgeupdateres_uz-Latn.dll
…\EU753E.tmp\MicrosoftEdgeUpdateSetup.exe
I could not find this directory on my drive. Later I found out that the installer deletes this directory after the installation. Only when I looked again during the setup process was the temporary folder there.
Malware has write and execute rights to temp
The Temp folder in the user profile can be filled with files by the user, including malware, at any time. Malware can therefore easily overwrite the Edge's setup files in the Temp folder. These would then be executed during setup and the Malware would receive administrator rights from the installer. Stefan Kanthak writes about another problem:
3. unfortunately inherit the subdirectory and thus the unpacked files the inheritable NTFS access rights of %TEMP% … the since 20 years the entry
(D;OIIO;WP;;;;WD) alias "Prohibit file execution" included
So this crap of installer, created by bloody beginners, failed in an attempt to launch \EU753E.tmp\MicrosoftEdgeUpdate.exe without a further error message!
4. after I changed the NTFS access rights of …\EU753E.tmp\* before launcing …\EU753E.tmp\MicrosoftEdgeUpdate.exe the installer crap shows the window below with error code 0x80040C01.
This error code seems to be a universal code. This is because the error also appears when calling the setup program with the /? switch. Stefan Kanthak writes that the Help button displayed in the window calls the standard browser with this troubleshooting page. Unfortunately, the error code 0x80040C01 is not explained there.
The TenForums website does document error codes, but the above code is not included. The conclusion remains that the Edge Installer is not that exciting from a security point of view. Not so nice …
Advertising