{"id":12783,"date":"2020-01-25T00:01:00","date_gmt":"2020-01-24T23:01:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12783"},"modified":"2020-01-24T22:22:10","modified_gmt":"2020-01-24T21:22:10","slug":"edge-and-its-lousy-installer-security","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/01\/25\/edge-and-its-lousy-installer-security\/","title":{"rendered":"Edge and its poor installer security"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" title=\"Edge\" style=\"border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; float: left; margin: 0px 10px 0px 0px; display: inline; border-top-width: 0px\" border=\"0\" alt=\"Edge\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2020\/01\/Edge.jpg\" width=\"65\" align=\"left\" height=\"67\"><\/a>[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/01\/24\/edge-installer-sicherheit-mangelhaft\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Microsoft offers the new Chromium-based Edge Browser since a few days now. However, the security of the provided Windows installer is quite poor. <\/p>\n<p><!--more--><\/p>\n<p>It was another 'harmless' mail I received from German security expert Stefan Kanthak. He asked me about the new Chromium based Edge browser from Microsoft: <\/p>\n<blockquote>\n<p>have you already installed MicrosoftEdgeSetup.exe on Windows 7?<\/p>\n<p>The installation program (a self-extractor) is once again industrial-<br \/>common insecure and broken junk&#8230; #<\/p>\n<\/blockquote>\n<p>At this point I was curious and wanted to test it myself. So I quickly downloaded the installer and copied it into my test bed.<\/p>\n<blockquote>\n<p>The test bed is provided by Stefan Kanthak, who deals with such security issues. You can download the file <a href=\"https:\/\/skanthak.homepage.t-online.de\/download\/FORWARD.CAB\" target=\"_blank\" rel=\"noopener noreferrer\">Forward.cab<\/a> from his website and extract it into a folder. There is also a <a href=\"https:\/\/skanthak.homepage.t-online.de\/sentinel.html\" target=\"_blank\" rel=\"noopener noreferrer\">Sentinel.exe<\/a>, which also need to be copies into this folder. The folder is then the test bed.<\/p>\n<\/blockquote>\n<blockquote>\n<p>Note: If a virus scanner raise an alarm during visiting Kanthak's website: He delivers the Eicar test virus in a data block attribute on its website to test whether browsers evaluate it and load it into memory for execution. A virus scanner should then be activated.<\/p>\n<\/blockquote>\n<h2>Installer Security Issues<\/h2>\n<p>With regard to the setup program (.exe file), Stefan Kanthak describes the following topics that caught my attention: <\/p>\n<ul>\n<li>0. Only plus point: it does not request administrator rights at start-up;\n<li>1. but it loads at least VERSION.dll from its \"application directory\";<\/li>\n<\/ul>\n<p>However, when I listed the setup file <em>MicrosoftEdgeSetup.exe<\/em>, it wanted administrator privileges through User Account Control. There was also no alert when running it in my testbed. <\/p>\n<p>After an exchange of a mail with Stefan Kanthak, the facts were clear. The Edge Setup file that loads the browser from the Internet does not need administrator rights. Rather, the program loads and unpacks the files needed for the Edge into a temporary directory before running. So it was clear why the testbed did not work. I then launched the downloaded setup exe file with the command:  <\/p>\n<p><em>MicrosoftEdgeSetup.exe<\/em> \/?  <\/p>\n<p>The installer and unpacker does not support options, but tries to call certain DLLs. And there I already got several warnings (see following picture) that DLL files would be reloaded from the current directory.  <\/p>\n<p><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/OWLwHue.jpg\">  <\/p>\n<p>So the installer is vulnerable to DLL hijacking at least during unpacking. I have already warned here in the blog about several tools with such vulnerabilities. Unfortunately, Microsoft is also often present with their installers. <\/p>\n<h2>Unpack\/dowload to a temp directory<\/h2>\n<p>Stefan Kanthak then noticed that the installer writes the files into the Temp folder of the user profile when it is executed:<\/p>\n<blockquote>\n<p>it creates a subdirectory EUT&lt;abcd&gt;.tmp in the %TEMP% folder, in<br \/>that it unpacks its payload (see following list):<\/p>\n<p>&#8230;\\EU753E.tmp\\MicrosoftEdgeUpdate.exe<br \/>&#8230;\\EU753E.tmp\\msedgeupdate.dll<br \/>&#8230;\\EU753E.tmp\\MicrosoftEdgeUpdateBroker.exe<br \/>&#8230;\\EU753E.tmp\\MicrosoftEdgeUpdateOnDemand.exe<br \/>&#8230;\\EU753E.tmp\\MicrosoftEdgeUpdateComRegisterShell64.exe<br \/>&#8230;\\EU753E.tmp\\MicrosoftEdgeComRegisterShellARM64.exe<br \/>&#8230;\\EU753E.tmp\\psmachine.dll<br \/>&#8230;\\EU753E.tmp\\psmachine_64.dll<br \/>&#8230;\\EU753E.tmp\\psmachine_arm64.dll<br \/>&#8230;\\EU753E.tmp\\psuser.dll<br \/>&#8230;\\EU753E.tmp\\psuser_64.dll<br \/>&#8230;\\EU753E.tmp\\psuser_arm64.dll<br \/>&#8230;\\EU753E.tmp\\NOTICE.TXT<br \/>&#8230;\\EU753E.tmp\\MicrosoftEdgeUpdateCore.exe<br \/>&#8230;\\EU753E.tmp\\msedgeupdateres_am.dll<br \/>\u2026<br \/>&#8230;\\EU753E.tmp\\msedgeupdateres_uz-Latn.dll<br \/>&#8230;\\EU753E.tmp\\MicrosoftEdgeUpdateSetup.exe<\/p>\n<\/blockquote>\n<p>I could not find this directory on my drive. Later I found out that the installer deletes this directory after the installation. Only when I looked again during the setup process was the temporary folder there. <\/p>\n<h2>Malware has write and execute rights to temp<\/h2>\n<p>The <em>Temp<\/em> folder in the user profile can be filled with files by the user, including malware, at any time. Malware can therefore easily overwrite the Edge's setup files in the <em>Temp<\/em> folder. These would then be executed during setup and the Malware would receive administrator rights from the installer. Stefan Kanthak writes about another problem:<\/p>\n<blockquote>\n<p>3. unfortunately inherit the subdirectory and thus the unpacked files the inheritable NTFS access rights of %TEMP% &#8230; the since 20 years the entry <\/p>\n<p>(D;OIIO;WP;;;;WD) alias \"Prohibit file execution\" included<\/p>\n<p>So this crap of installer, created by bloody beginners, failed in an attempt to launch \\EU753E.tmp\\MicrosoftEdgeUpdate.exe without a further error message!<\/p>\n<p>4. after I changed the NTFS access rights of &#8230;\\EU753E.tmp\\* before launcing &#8230;\\EU753E.tmp\\MicrosoftEdgeUpdate.exe the installer crap shows the window below with error code 0x80040C01.<\/p>\n<\/blockquote>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Edge Fehlercode  0x80040C01\" alt=\"Edge Fehlercode  0x80040C01\" src=\"https:\/\/i.imgur.com\/T5yn8x5.jpg\" width=\"600\" height=\"261\"><\/p>\n<p>This error code seems to be a universal code. This is because the error also appears when calling the setup program with the \/? switch. Stefan Kanthak writes that the Help button displayed in the window calls the standard browser with <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4533311\/microsoft-edge-troubleshooting-tips-for-installing-and-updating\" target=\"_blank\" rel=\"noopener noreferrer\">this troubleshooting page<\/a>. Unfortunately, the error code 0x80040C01 is not explained there. <\/p>\n<p>The <a href=\"https:\/\/www.tenforums.com\/browsers-email\/128467-microsoft-edge-insider-builds-troubleshoot-install-updates.html\" target=\"_blank\" rel=\"noopener noreferrer\">TenForums website<\/a> does document error codes, but the above code is not included. The conclusion remains that the Edge Installer is not that exciting from a security point of view. Not so nice &#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft offers the new Chromium-based Edge Browser since a few days now. However, the security of the provided Windows installer is quite poor.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[872,580,1547],"tags":[320,69],"class_list":["post-12783","post","type-post","status-publish","format-standard","hentry","category-browser","category-security","category-software","tag-edge","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12783"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12783\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}