Windows security flaw allows hacker to fake security dialog boxes
A bug in Microsoft Windows would allow hackers to spoof Windows dialog boxes that pops up when making changes to the Windows registry. This would allow a hacker to install malware or make other changes changes in the registry while getting around Windows' built-in defenses. According to white hat researcher John Page, it's possible to edit what the dialog box says, to trick users into clicking “Yes.” Normally, when there is a change to the registry using a .reg file, a registry security warning dialog box will open. An edited security prompt can tell them to click “Yes” to abort if they do not trust the source of the file but “Yes” actually clears the process.
The Windows registry is basically a database that logs software and application configuration information, device drivers for hardware and other system information. It logs any changes made to these. Changes made to the configurations are updated in the registry. The changes made to Control Panel settings, file associations, Windows components and so on, during the use of the computer, are updated in the registry as well. The registry also serves as an index to the operation of the kernel, revealing run-time information of the system.
The registry is critical for stability, reliability and performance of a computer which makes it a target for hackers. Since it is so ingrained into the operating system, it's a target for attacks and getting around standard security controls. Common attacks include the use of registry keys to store and hide next-step code for malware after it has been dropped on a system. Malware may also use native Windows tools to perform its commands, so it is undetectable by signature-based security software such as antivirus. Hackers can also use program run keys and the Windows startup folder to persist and, if the registry keys for a service are modified, “the ImagePath or binPath key can be modified to instead point to a malicious executable or a newly created one. This allow malware to start with Windows and can run under a local system account with elevated privileges.
Registry files can be created by a user in the registry's text editor. What Page found is that that .reg filenames can be created and used to spoof the default registry dialog warning box, making a user think they are canceling the registry import, as the security warning dialog box is now lying to them. Page was able to fake the Windows registry dialog box security warning messages displayed by creating a .reg file by using encoded characters along with my message within the filename itself. This enabled Page to override the dialog warnings with his own instructions.
Microsoft doesn't plan on issuing a patch in the near future. According to Microsoft, the issue doesn't meet the severity bar for servicing via a security update. According to Microsoft, it is up to the users to practice safe computing habits online by not clicking on links, opening files or accepting file transfers from untrusted sources.