Be aware of this Windows registry vulnerability

Even if you don't know much about the Windows registry, it's a good bet that you <i>do</i> know that editing the registry is potentially dangerous. However, a recent discovery showed that editing is no longer the only thing we have to fear about the registry. Jonathan Yarden tells you about a new-found vulnerability in the Windows registry, and he tells you what steps you can take to protect your systems.

A few days ago, one of my coworkers mentioned that the 10th anniversary of Windows 95 had recently passed. While I'm not particularly nostalgic when it comes to most topics, I do have a soft spot for computer history.

Back in 1995, I was doing a lot of Windows 3.1 programming; in fact, I still have quite a few of the CD-ROM sets from the Microsoft Developer Network. Ten years ago, in fact, I was finishing up a custom video driver for Windows 3.1 when Microsoft released Windows 95.

Incidentally, my specialized video driver became obsolete long before I ever finished it. That was partially thanks to the release of Windows 95, but it was also due to the fact that I spent a lot of time auditing thousands of lines of C and assembly language code to make sure it didn't break—a first-hand example of the difficulty in developing software that's secure and reliable while still sticking to the timeline.

Windows 95 was a far cry from the MS-DOS-layered version of Windows, and it borrowed features and concepts from both Windows NT and OS/2, which Microsoft was still developing with IBM at the time. As such, there was a mixture of both old and new Windows features, and quite a lot of concepts and ideas managed to come from OS/2.

Included in those new features was the Windows registry—a unified access method for the previous .ini file system used in earlier Microsoft operating system versions. Although the registry appeared as early as Windows 3.11—commonly known as Windows for Workgroups—few people knew anything about the Windows registry until Windows 95.

Basically, the registry is a hierarchal database of key and value pairs that replaces and extends the functionality of the flat-file .ini system in Windows. But even if you know little about the Windows registry, I'm willing to bet that you do know that editing the registry is potentially dangerous. One false move can cause irreversible damage to your operating system.

However, a recent discovery showed that editing is no longer the only thing we have to fear about the Window registry. Security company Secunia released an advisory in late August that revealed an error in how the Registry Editor (Regedit.exe) utility handles long string names.

Apparently, registry entries longer than 254 characters (and any entries underneath) are invisible to Microsoft's graphical registry tools, and this is cause for some alarm. While Secunia has rated the issue as not critical, the flaw allows hackers to hide the presence of malware on a computer.

This registry vulnerability is the latest example of an early design flaw that continues to pop up in later Windows versions. It's also a bit ironic: At times, Microsoft has appeared quite proud of the registry—touting that it prevents "average" users from modifying or changing integral Windows settings. But the software giant neglected to consider that the registry doesn't stop a skilled malware programmer in the least bit.

So companies need to take note that neither Regedit nor Regedt32 can display overly long registry entries—or any of the key and value pairs underneath a long parent entry. Whether rated critical or not, this is a security risk, and malware programmers are already exploiting it.

Viruses, Trojan horses, and other malware have traditionally wrought havoc by messing with the registry, such as adding startup entries. Now would-be attackers have yet another way to go about it—while remaining invisible to Microsoft's graphical registry tools.

Worse is the fact that Regedit and Regedt32 aren't the only ones that ignore displaying long registry entries. A lot of commercial anti-spyware tools—including Microsoft's own Windows AntiSpyware—also fail to find them.

However, you do have some options. The Reg.exe command-line registry tool shipped with current Windows versions can display long registry entries hidden from Microsoft's graphical registry tools—provided you know where to look.

Of course, tools like this are of little use to average users; few people know what they're doing with the registry anyway. So once again, we have a case where the details, while interesting, are irrelevant to solving the actual problem. The Windows registry makes a great hiding place for all sorts of malware: The malware remains invisible to the Registry Editor as well as anti-spyware software, and most users won't go near the registry anyway.

If you've been putting off installing anti-spyware software on your organization's Windows systems, don't wait any longer. Tools such as BHODemon, Spybot Search & Destroy, and HijackThis are able to root out long registry entries. And as a bonus, they're also free to use. But remember the cardinal rule about the Windows registry: Playing around with it can render a computer unbootable.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.