jinx4848 jinx4848

Niner since 2007


  • Mark Russinovich: From Winternals to Microsoft, On Windows Security, Windows CoreArch

    With regard to ~19:00 of the video and the discussion about the *Setup|Install*.exe heuristic:

    Didn't Mark miss an important point about the finding?

    The claim was that any file with setup or install in it would automatically be given admin privileges which is a security risk, and Mark's rebuttal is that it's not a security risk because "99.9%" of those files are indeed installers.

    But the problem isn't with the executables that *are* installers, they never had security issues to worry about in the first place. The problem is with executables that are *not* installers and pose as one to get free admin rights. Is there anything else guarding an application from exploiting that? If not, then how is that a secure heuristic? I'm confused as to how Mark missed that, and I hope it's because it's something that I missed in my understanding of the issue.