[Full-disclosure] Re: when will AV vendors fix this???
Bipin Gautam
gautam.bipin at gmail.com
Tue Aug 8 03:09:13 BST 2006
> >
> This is similar to the problem of alternative data streams.
> Essentially, the work needed to solve this problem isn't worth the
> expenditure of time and effort, because the file, in order to infect the
> system, has to be executed. Once the file is executed "normal"
> on-access scanning will catch the exploit *if* it is known. (If it's
> unknown, it doesn't matter anyway.) Yes, on-demand scanning won't "see"
> the file, but even malicious files are benign until they are run.
>
i still insist, it might be a minor glitch to NOT ALLOW even admins to
access a private file directly, but it isn't an issue with windows at
all!!!
I thought the the files should be accessed via "SeTcbPrivilege" BUT it
doesn't. )O;
but hey, most of "the file undelete utilities" already do this.....
if you try reading/copying a EXISTING file (via sys admin privilage)
using (say Restorer2000 Demo) it effectively bypasses file permission
regardless if it...... & can read the file! there must be another
undocumented? API doing this???
another note, even WINDOWS ONECAIR is pron to this bug.
-bipin
Full-Disclosure is hosted and sponsored by Secunia.