Hrm... 5/9/2014 2:07:00 PM

After hearing about a recent bug (https://cxsecurity.com/issue/WLB-2014050050) I created a C:\program.exe app to show me if some other applications might also have the same problem.

On Windows 8.1 Update 1 with all updates, after using the “Close program” gesture to close Immersive IE, I see my program.exe application runs with the following output:

Program.exe invoked with the following parameters: 

Raw command line:
        C:\Program Files\Internet Explorer\iexplore.exe -BackgroundSessionClosed 

Arguments:
        Files\Internet
        Explorer\iexplore.exe
        -BackgroundSessionClosed

Press any key to continue...

This link: https://bugzilla.mozilla.org/show_bug.cgi?id=846365 suggests to me that the invoking code might related to the PLM system used for Metro suspension.

Repro:

  1. Save www.ericlawrence.com/dl/alert.exe as C:\program.exe (This trivial app simply shows the command line arguments that it is passed).
  2. Close Desktop IE instances.
  3. Run Metro IE. Browse a bit.
  4. Use the close gesture to close IE.

Observe: Program.exe is executed.

Arguably, this isn’t an important security issue because writing to the root requires Admin and the program is only executing with user-level permissions, but historically we’ve seen this sort of mistake used as a stepping stone of other exploits. The affected codepath may also allow repro for ANY Immersive browser (not just IE) which could have unknown security impact.

+ Comment
Eric MSRC sent this one back as "not a vulnerability" due to ACLs on the root folder.


< Eric's Blog Home


©1998-2020 Eric Lawrence