Hi @ll,
"C:\Program Files\Apple Software Update\SoftwareUpdate.exe", part
of Apple's Software Update and installed together with iTunes,
QuickTime and other of Apple's crap for Windows, is periodically
called with the argument "-task".
This invokes the COM server {91A9E6A9-3935-4A37-AFBA- F0904B166364}
alias AppleSoftwareUpdate. ASUInstallhost, implemented in the DLL
C:\Program Files\Apple Software Update\SoftwareUpdateAdmin.Dll
This COM server runs with administrative rights and executes the
command line
C:\Program Files\Apple Software Update\SoftwareUpdate.exe -background
without properly quoted pathname, resulting in the execution of one
of the rogue programs "C:\Program.exe", "C:\Program Files\Apple.exe"
or "C:\Program Files\Apple Software.exe" (on x86) resp. "C:\Program.exe",
"C:\Program Files.exe", "C:\Program Files (x86)\Apple.exe" or
"C:\Program Files\Apple Software.exe" (on x64) with administrative
rights.
From <http://msdn.microsoft.com/ library/cc144175.aspx>
or <http://msdn.microsoft.com/ library/cc144101.aspx>:
| Note: If any element of the command string contains or might contain
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~
| spaces, it must be enclosed in quotation marks. Otherwise, if the
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument.
Since every user account created during Windows setup has administrative
rights every user owning such an account can create the rogue program(s),
resulting in a privilege escalation.
JFTR: no, the "user account control" is not a security boundary!
From <http://support.microsoft.com/ kb/2526083>:
| Same-desktop Elevation in UAC is not a security boundary and can be hijacked
| by unprivileged software that runs on the same desktop. Same-desktop
| Elevation should be considered a convenience feature, and from a security
| perspective, "Protected Administrator" should be considered the equivalent
| of "Administrator."
regards
Stefan Kanthak
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
"C:\Program Files\Apple Software Update\SoftwareUpdate.exe", part
of Apple's Software Update and installed together with iTunes,
QuickTime and other of Apple's crap for Windows, is periodically
called with the argument "-task".
This invokes the COM server {91A9E6A9-3935-4A37-AFBA-
alias AppleSoftwareUpdate.
C:\Program Files\Apple Software Update\SoftwareUpdateAdmin.Dll
This COM server runs with administrative rights and executes the
command line
C:\Program Files\Apple Software Update\SoftwareUpdate.exe -background
without properly quoted pathname, resulting in the execution of one
of the rogue programs "C:\Program.exe", "C:\Program Files\Apple.exe"
or "C:\Program Files\Apple Software.exe" (on x86) resp. "C:\Program.exe",
"C:\Program Files.exe", "C:\Program Files (x86)\Apple.exe" or
"C:\Program Files\Apple Software.exe" (on x64) with administrative
rights.
From <http://msdn.microsoft.com/
or <http://msdn.microsoft.com/
| Note: If any element of the command string contains or might contain
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| spaces, it must be enclosed in quotation marks. Otherwise, if the
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument.
Since every user account created during Windows setup has administrative
rights every user owning such an account can create the rogue program(s),
resulting in a privilege escalation.
JFTR: no, the "user account control" is not a security boundary!
From <http://support.microsoft.com/
| Same-desktop Elevation in UAC is not a security boundary and can be hijacked
| by unprivileged software that runs on the same desktop. Same-desktop
| Elevation should be considered a convenience feature, and from a security
| perspective, "Protected Administrator" should be considered the equivalent
| of "Administrator."
regards
Stefan Kanthak
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information