A few days ago, one of my coworkers mentioned that the 10th anniversary
of Windows 95 had recently passed. While I’m not particularly nostalgic
when it comes to most topics, I do have a soft spot for computer history.
Back in 1995, I was doing a lot of Windows 3.1 programming; in
fact, I still have quite a few of the CD-ROM sets from the Microsoft Developer
Network. Ten years ago, in fact, I was finishing up a custom video driver for
Windows 3.1 when Microsoft released Windows 95.
Incidentally, my specialized video driver became obsolete
long before I ever finished it. That was partially thanks to the release of
Windows 95, but it was also due to the fact that I spent a lot of time auditing
thousands of lines of C and assembly language code to make sure it didn’t break—a
first-hand example of the difficulty in developing software that’s secure and
reliable while still sticking to the timeline.
Windows 95 was a far cry from the MS-DOS-layered version of Windows,
and it borrowed features and concepts from both Windows NT and OS/2, which
Microsoft was still developing with IBM at the time. As such, there was a mixture
of both old and new Windows features, and quite a lot of concepts and ideas
managed to come from OS/2.
Included in those new features was the Windows registry—a
unified access method for the previous .ini file system used in earlier
Microsoft operating system versions. Although the registry appeared as early as
Windows 3.11—commonly known as Windows for Workgroups—few people knew anything
about the Windows registry until Windows 95.
Basically, the registry is a hierarchal database of key and
value pairs that replaces and extends the functionality of the flat-file .ini
system in Windows. But even if you know little about the Windows registry, I’m
willing to bet that you do know that
editing the registry is potentially dangerous. One false move can cause
irreversible damage to your operating system.
However, a recent discovery showed that editing is no longer
the only thing we have to fear about the Window registry. Security company
Secunia released an advisory in late August that revealed an error in how the Registry Editor (Regedit.exe)
utility handles long string names.
Apparently, registry entries longer than 254 characters (and
any entries underneath) are invisible to Microsoft’s graphical registry tools,
and this is cause for some alarm. While Secunia has rated the issue as not
critical, the flaw allows hackers to hide the presence
of malware on a computer.
This registry vulnerability is the latest example of an
early design flaw that continues to pop up in later Windows versions. It’s also
a bit ironic: At times, Microsoft has appeared quite proud of the registry—touting
that it prevents “average” users from modifying or changing integral
Windows settings. But the software giant neglected to consider that the
registry doesn’t stop a skilled malware programmer in the least bit.
So companies need to take note that neither Regedit nor Regedt32
can display overly long registry entries—or any of the key and value pairs
underneath a long parent entry. Whether rated critical or not, this is a security risk, and malware
programmers are already exploiting it.
Viruses, Trojan horses, and other malware have traditionally
wrought havoc by messing with the registry, such as adding startup entries. Now
would-be attackers have yet another way to go about it—while remaining
invisible to Microsoft’s graphical registry tools.
Worse is the fact that Regedit and Regedt32 aren’t the only
ones that ignore displaying long registry entries. A lot of commercial
anti-spyware tools—including Microsoft’s own Windows
AntiSpyware—also fail to find them.
However, you do have some options. The Reg.exe command-line
registry tool shipped with current Windows versions can display long registry entries hidden from Microsoft’s graphical
registry tools—provided you know where to look.
Of course, tools like this are of little use to average
users; few people know what they’re doing with the registry anyway. So once
again, we have a case where the details, while interesting, are irrelevant to
solving the actual problem. The Windows registry makes a great hiding place for
all sorts of malware: The malware remains invisible to the Registry Editor as
well as anti-spyware software, and most users won’t go near the registry
If you’ve been putting off installing anti-spyware software on
your organization’s Windows systems, don’t wait any longer. Tools such as BHODemon,
Spybot Search & Destroy, and HijackThis are able to root out long
registry entries. And as a bonus, they’re also free to use. But remember the
cardinal rule about the Windows registry: Playing around with it can render a
Miss an issue?
Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.