3APA3A <[EMAIL PROTECTED]> writes:
> Hello ByteRage,
>
> I completely disagree with your paper. It puts software developers and
> users into false sense of security. Right now SECURITY.NNOV is working
> out few MS-DOS Device Name issues with vendors (not only in Windows
> 95/98/ME but also in NT/2000), and the problem is definitely in
> software, not in operation system, because operation system behaves
> exactly as expected and documented.
Having a specification that says something doesn't make it a good
spec. I agree with ByteRage -- it is a fault in the OS (and its
specification) for the OS to parse file names specially regardless of
location in the filesystem hierarchy, simply because it opens up so
many security-related bugs.
> Later we will publish our
> advisory. Software MUST check type of file it tries to access BEFORE
> it access it, if this can cause access to special device. Special
> devices under Windows allow raw access to ports, drives, tapes, etc
> and impact of such access can be same with impact of accessing /dev
> under unix.
The notable difference is that in Unix, the system administrator has
control over where device files exist. Under Windows, they exist
_automatically_, in every directory. That's why it is such a problem
for applications running under Windows platforms, and (I believe) why
device files are not considered a serious problem for Unix-like
platforms.
If Microsoft keeps the current behavior for backwards compatibility,
then your conclusions about using functions such as GetFileType()
(rather than enumerating names) hold; but one can always hope that
the OS's behavior will be fixed.
-- Michael
